From 8145ff63037870c548702cbf256bf4e7cb197b93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20S=C3=B6ntgen?= Date: Mon, 13 Feb 2023 11:10:23 +0100 Subject: [PATCH] qemu-usb: only copy data when packet succeeded In case the packet is erronous the value of 'actual_size' can be invalid and using it may lead to a page-fault due to out-of-bounce access. With this commit access is only performed on successful packets. Fixes #4763. --- repos/libports/src/lib/qemu-usb/host.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/repos/libports/src/lib/qemu-usb/host.cc b/repos/libports/src/lib/qemu-usb/host.cc index 0ef3c6b219..023d9f1dc8 100644 --- a/repos/libports/src/lib/qemu-usb/host.cc +++ b/repos/libports/src/lib/qemu-usb/host.cc @@ -162,15 +162,16 @@ struct Completion : Usb::Completion p->actual_length = 0; - if (p->pid == USB_TOKEN_IN && actual_size > 0) { - if (data) Genode::memcpy(data, content, actual_size); - else usb_packet_copy(p, content, actual_size); - } + if (packet.succeded) { - p->actual_length = actual_size; + if (p->pid == USB_TOKEN_IN && actual_size > 0) { + if (data) Genode::memcpy(data, content, actual_size); + else usb_packet_copy(p, content, actual_size); + } - if (packet.succeded) + p->actual_length = actual_size; p->status = USB_RET_SUCCESS; + } else { if (packet.error == Packet_error::STALL_ERROR) p->status = USB_RET_STALL;