diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-02-23 10:57:31 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-02-23 10:57:31 +0000 |
| commit | ea6e4981bfb33aeb0035088b883a159de1483cba (patch) | |
| tree | 5138e06933f9ee89d68dbfb879dd04a716c55fe4 /hw/usb/core.c | |
| parent | 8eb779e4223a18db9838a49ece1bc72cfdfb7761 (diff) | |
| parent | fa1298c2d623522eda7b4f1f721fcb935abb7360 (diff) | |
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160223-1' into staging
usb: misc bugfixes.
# gpg: Signature made Tue 23 Feb 2016 10:53:01 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
* remotes/kraxel/tags/pull-usb-20160223-1:
ohci: allocate timer only once.
usb: add pid check at the first of uhci_handle_td()
usb: check RNDIS buffer offsets & length
usb: check RNDIS message length
tusb6010: move from hw/timer to hw/usb
usb: check USB configuration descriptor object
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/usb/core.c')
| -rw-r--r-- | hw/usb/core.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/hw/usb/core.c b/hw/usb/core.c index bea5e1ee8b..45fa00c517 100644 --- a/hw/usb/core.c +++ b/hw/usb/core.c @@ -129,9 +129,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p) } usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; p->actual_length = 0; s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - s->setup_index = 0; + if (s->setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; @@ -152,13 +159,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p) } s->setup_state = SETUP_STATE_DATA; } else { - if (s->setup_len > sizeof(s->data_buf)) { - fprintf(stderr, - "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); - p->status = USB_RET_STALL; - return; - } if (s->setup_len == 0) s->setup_state = SETUP_STATE_ACK; else @@ -177,7 +177,7 @@ static void do_token_in(USBDevice *s, USBPacket *p) request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; index = (s->setup_buf[5] << 8) | s->setup_buf[4]; - + switch(s->setup_state) { case SETUP_STATE_ACK: if (!(s->setup_buf[0] & USB_DIR_IN)) { |