[PATCH] usbredirhost: prevent overflow in usbredirhost_set_iso_threshold
Uri Lublin
ulublin at redhat.com
Tue Aug 20 11:42:58 UTC 2024
Hi Anastasia,
Thanks for sending a patch.
On Tue, Aug 13, 2024 at 12:34 PM Anastasia Belova <abelova at astralinux.ru>
wrote:
> Cc'ing Victor Toso
>
> 01/07/24 14:11, Anastasia Belova:
> > pkts_per_transfer < MAX_PACKETS_PER_TRANSFER = 32.
> > transfer_count < MAX_TRANSFER_COUNT = 16.
> > max_packetsize = maxp * mult. mult <= 3.
> > maxp <= 0x7ff. If all variables have their max value,
> > the result will be bigger that uint16_t.
> > Add an explicit cast.
> >
> > Signed-off-by: Anastasia Belova <abelova at astralinux.ru>
> > ---
> > usbredirhost/usbredirhost.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/usbredirhost/usbredirhost.c b/usbredirhost/usbredirhost.c
> > index 03c56e9..ca19473 100644
> > --- a/usbredirhost/usbredirhost.c
> > +++ b/usbredirhost/usbredirhost.c
> > @@ -1193,7 +1193,7 @@ static void usbredirhost_stop_stream(struct
> usbredirhost *host,
> > static void usbredirhost_set_iso_threshold(struct usbredirhost *host,
> > uint8_t pkts_per_transfer, uint8_t transfer_count, uint16_t
> max_packetsize)
> > {
> > - uint64_t reference = pkts_per_transfer * transfer_count *
> max_packetsize;
> > + uint64_t reference = (uint64_t)pkts_per_transfer * transfer_count *
> max_packetsize;
>
It feels safer.
I think it's already not a problem, since all multiplication arguments are
of
small integer types, so they are promoted to int, like
uint64_t reference = (int)pkts_per_transfer * (int)transfer_count *
(int)max_packetsize
which is smaller than 32*16*3*2048 < INT_MAX (for a 4 bytes int)
Regards,
Uri.
> host->iso_threshold.lower = reference / 2;
> > host->iso_threshold.higher = reference * 3;
> > DEBUG("higher threshold is %" PRIu64 " bytes | lower threshold is
> %" PRIu64 " bytes",
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20240820/fde57256/attachment.htm>
More information about the Spice-devel
mailing list