[Spice-devel] [PATCH spice-gtk 29/44] fixup! usb-redir: add files for SCSI and USB MSC implementation

Tue Jul 30 12:03:17 UTC 2019

Better check of cmd_len, avoids possible overflow or failing asserts,
specification state that range should be 1-16.
---
 src/cd-usb-bulk-msd.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/cd-usb-bulk-msd.c b/src/cd-usb-bulk-msd.c
index ab6644f3..95365163 100644
--- a/src/cd-usb-bulk-msd.c
+++ b/src/cd-usb-bulk-msd.c
@@ -272,6 +272,10 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
         SPICE_ERROR("CMD: Bad CBW signature:%08x", le32toh(cbw->sig));
         return -1;
     }
+    if (cbw->cmd_len < 1 || cbw->cmd_len >= 16) {
+        SPICE_ERROR("CMD: Bad CBW command len:%08x", cbw->cmd_len);
+        return -1;
+    }
 
     usb_req->lun = cbw->lun;
     usb_req->usb_tag = le32toh(cbw->tag);
@@ -295,7 +299,7 @@ static int parse_usb_msd_cmd(UsbCdBulkMsdDevice *cd, uint8_t *buf, uint32_t cbw_
         scsi_req->buf_len = 0;
     }
 
-    scsi_req->cdb_len = ((uint32_t)cbw->cmd_len) & 0x1F;
+    scsi_req->cdb_len = cbw->cmd_len;
     g_assert(scsi_req->cdb_len <= sizeof(scsi_req->cdb));
     memcpy(scsi_req->cdb, cbw->cmd, scsi_req->cdb_len);
 
-- 
2.20.1

