2 files changed, 7 insertions, 1 deletions

diff --git a/hw/usb.c b/hw/usb.c
index 82a6217a0b..d8c0a75c3a 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -93,6 +93,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
             s->setup_len = ret;
         s->setup_state = SETUP_STATE_DATA;
     } else {
+        if (s->setup_len > sizeof(s->data_buf)) {
+            fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+            return USB_RET_STALL;
+        }
         if (s->setup_len == 0)
             s->setup_state = SETUP_STATE_ACK;
         else
diff --git a/hw/usb.h b/hw/usb.h
index d3d755db7b..22bb3385ba 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
 
     int32_t state;
     uint8_t setup_buf[8];
-    uint8_t data_buf[1024];
+    uint8_t data_buf[4096];
     int32_t remote_wakeup;
     int32_t setup_state;
     int32_t setup_len;