rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
20b2275a19
qemu/0101-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch
Cole Robinson 335584f502 CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) 
CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578)
CVE-2017-7493: 9pfs: guest privilege escalation in virtfs mapped-file mode (bz #1451711)
CVE-2017-9503: megasas: null pointer dereference while processing megasas command (bz #1459478)
CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497)
CVE-2017-9524: nbd: segfault due to client non-negotiation (bz #1460172)
CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort (bz #1466192)
2017-07-13 16:21:40 -04:00

48 lines
1.4 KiB
Diff
Raw Blame History

From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 May 2017 13:01:28 +0200
Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Don't reinvent a broken wheel, just use the hexdump function we have.
Impact: low, broken code doesn't run unless you have debug logging
enabled.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170509110128.27261-1-kraxel@redhat.com
(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d)
---
hw/usb/redirect.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 0efe62f725..eb70dc7218 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
const uint8_t *data, int len)
{
- int i, j, n;
-
if (dev->debug < usbredirparser_debug_data) {
return;
}
-
- for (i = 0; i < len; i += j) {
- char buf[128];
-
- n = sprintf(buf, "%s", desc);
- for (j = 0; j < 8 && i + j < len; j++) {
- n += sprintf(buf + n, " %02X", data[i + j]);
- }
- error_report("%s", buf);
- }
+ qemu_hexdump((char *)data, stderr, desc, len);
}
/*
Reference in New Issue View Git Blame Copy Permalink