[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb serial
From: |
Paul Brook |
Subject: |
Re: [Qemu-devel] [PATCH] usb-serial: Fix memory overruns with usb serial emulation |
Date: |
Wed, 17 Sep 2008 11:38:01 +0100 |
User-agent: |
KMail/1.9.9 |
On Wednesday 17 September 2008, Paul Brook wrote:
> On Wednesday 17 September 2008, Jason Wessel wrote:
> > * Fix a memory overrun
> > recv_buf[RECV_BUF + 1];
> > This has to be + 1 because RECV_BUF is used for memcpy computations
> > in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes
> > are used.
>
> I think this is wrong. I can't see any way this code could overflow.
On further inspection I can see a bug, but the above change is not the correct
fix, and it will cause lost data not overflows. The calculation of
first_size is incorrect when the buffer has wrapped.
Paul