CVE-2020-14364: QEMU USB module out-of-bounds read and write Vulnerability Alert

@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)

 static void do_token_setup(USBDevice *s, USBPacket *p)

 {

     int request, value, index;

+    unsigned int setup_len;



     if (p->iov.size != 8) {

         p->status = USB_RET_STALL;

@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)

     usb_packet_copy(p, s->setup_buf, p->iov.size);

     s->setup_index = 0;

     p->actual_length = 0;

-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];

-    if (s->setup_len > sizeof(s->data_buf)) {

+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];

+    if (setup_len > sizeof(s->data_buf)) {

         fprintf(stderr,

                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",

-                s->setup_len, sizeof(s->data_buf));

+                setup_len, sizeof(s->data_buf));

         p->status = USB_RET_STALL;

         return;

     }

+    s->setup_len = setup_len;