usb: control buffer fixes

Windows allows control transfers to pass up to 4k of data, so raise our
control buffer size to 4k. For control out transfers the usb core code copies
the control request data to a buffer before calling the device's handle_control
callback. Add a check for overflowing the buffer before copying the data.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 82a6217a0b5f94b3d7f83ccc5c43c9608eb8bd1e..d8c0a75c3a1a269b7a7c4e1d7ecab8d64554bc65 100644 (file)
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -93,6 +93,12 @@ static int do_token_setup(USBDevice *s, USBPacket *p)
             s->setup_len = ret;
         s->setup_state = SETUP_STATE_DATA;
     } else {
+        if (s->setup_len > sizeof(s->data_buf)) {
+            fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+            return USB_RET_STALL;
+        }
         if (s->setup_len == 0)
             s->setup_state = SETUP_STATE_ACK;
         else

diff --git a/hw/usb.h b/hw/usb.h
index d3d755db7bfa82890ef1fecda2d24e81321e1904..22bb3385ba6747d8983f7e35bbdf31d947dd02f2 100644 (file)
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -167,7 +167,7 @@ struct USBDevice {
 
     int32_t state;
     uint8_t setup_buf[8];
-    uint8_t data_buf[1024];
+    uint8_t data_buf[4096];
     int32_t remote_wakeup;
     int32_t setup_state;
     int32_t setup_len;