Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP6
qemu.28156
0234-usbredir-fix-free-call.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0234-usbredir-fix-free-call.patch of Package qemu.28156
From: Gerd Hoffmann <kraxel@redhat.com> Date: Thu, 22 Jul 2021 09:27:56 +0200 Subject: usbredir: fix free call MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 References: bsc#1189145 CVE-2021-3682 data might point into the middle of a larger buffer, there is a separate free_on_destroy pointer passed into bufp_alloc() to handle that. It is only used in the normal workflow though, not when dropping packets due to the queue being full. Fix that. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210722072756.647673-1-kraxel@redhat.com> Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com> --- hw/usb/redirect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 9dc5a83513361b2c3948ab73511e..e520e6574d0b5eedf40ea74af3b0 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -458,7 +458,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { if (dev->endpoint[EP2I(ep)].bufpq_size > dev->endpoint[EP2I(ep)].bufpq_target_size) { - free(data); + free(free_on_destroy); return -1; } dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor