usb: control buffer fixes Windows allows control transfers to pass up to 4k of data, so raise our control buffer size to 4k. For control out transfers the usb core code copies the control request data to a buffer before calling the device's handle_control callback. Add a check for overflowing the buffer before copying the data. Signed-off-by: Hans de Goede <hdegoede@redhat.com>

commit: 19f3322379c25a235eb1ec6335676549109fa625 [log] [tgz]
author: Hans de Goede <hdegoede@redhat.com> Wed Feb 02 17:46:00 2011 +0100
committer: Gerd Hoffmann <kraxel@redhat.com> Wed May 04 12:25:52 2011 +0200
tree: d833d9d4e6e0d8f0cd7bbb9e57a554ed1c7d1e1a
parent: bb6d5498c6756eba3d0779c7753fc8830a8a9078 [diff] [blame]
diff --git a/hw/usb.c b/hw/usb.c
index 82a6217..d8c0a75 100644
--- a/hw/usb.c
+++ b/hw/usb.c

@@ -93,6 +93,12 @@
             s->setup_len = ret;
         s->setup_state = SETUP_STATE_DATA;
     } else {
+        if (s->setup_len > sizeof(s->data_buf)) {
+            fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+            return USB_RET_STALL;
+        }
         if (s->setup_len == 0)
             s->setup_state = SETUP_STATE_ACK;
         else
commit	19f3322379c25a235eb1ec6335676549109fa625	[log] [tgz]
author	Hans de Goede <hdegoede@redhat.com>	Wed Feb 02 17:46:00 2011 +0100
committer	Gerd Hoffmann <kraxel@redhat.com>	Wed May 04 12:25:52 2011 +0200
tree	d833d9d4e6e0d8f0cd7bbb9e57a554ed1c7d1e1a
parent	bb6d5498c6756eba3d0779c7753fc8830a8a9078 [diff] [blame]