From 416a6f3bf137b8e6782dd7c1f9563afe8ee97b19 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 9 May 2017 13:01:28 +0200 Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don't reinvent a broken wheel, just use the hexdump function we have. Impact: low, broken code doesn't run unless you have debug logging enabled. Reported-by: 李强 Signed-off-by: Gerd Hoffmann Message-id: 20170509110128.27261-1-kraxel@redhat.com (cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d) [BR: BSC#1047674 CVE-2017-10806] Signed-off-by: Bruce Rogers --- hw/usb/redirect.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 0efe62f725..eb70dc7218 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) static void usbredir_log_data(USBRedirDevice *dev, const char *desc, const uint8_t *data, int len) { - int i, j, n; - if (dev->debug < usbredirparser_debug_data) { return; } - - for (i = 0; i < len; i += j) { - char buf[128]; - - n = sprintf(buf, "%s", desc); - for (j = 0; j < 8 && i + j < len; j++) { - n += sprintf(buf + n, " %02X", data[i + j]); - } - error_report("%s", buf); - } + qemu_hexdump((char *)data, stderr, desc, len); } /*