diff options
author | Mauro Matteo Cascella <mcascell@redhat.com> | 2022-07-05 19:47:34 +0200 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2022-07-19 14:36:38 +0200 |
commit | 84218892f05515d20347fde4506e1944eb11cb25 (patch) | |
tree | 526f4dd30851f4acd3238923ed16a1ad4cd0eb91 /hw/usb | |
parent | 3ef1497b46c57eba151fb1d0bdd8c8bff8a0f524 (diff) | |
download | qemu-84218892f05515d20347fde4506e1944eb11cb25.zip qemu-84218892f05515d20347fde4506e1944eb11cb25.tar.gz qemu-84218892f05515d20347fde4506e1944eb11cb25.tar.bz2 |
usb/hcd-xhci: check slotid in xhci_wakeup_endpoint()
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220705174734.2348829-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/usb')
-rw-r--r-- | hw/usb/hcd-xhci.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 0cd0a5e..296cc6c 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -3269,7 +3269,8 @@ static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep, DPRINTF("%s\n", __func__); slotid = ep->dev->addr; - if (slotid == 0 || !xhci->slots[slotid-1].enabled) { + if (slotid == 0 || slotid > xhci->numslots || + !xhci->slots[slotid - 1].enabled) { DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr); return; } |