Merge remote-tracking branch 'remotes/kraxel/tags/usb-20210505-pull-request' into staging

usb: fix some memory allocation issues (CVE-2021-3527).
usb: add stubs, allow building without usb subsystem.

# gpg: Signature made Wed 05 May 2021 14:07:02 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20210505-pull-request:
  usb: limit combined packets to 1 MiB (CVE-2021-3527)
  usb/mtp: avoid dynamic stack allocation
  usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
  usb/hid: avoid dynamic stack allocation
  hw/usb: Do not build USB subsystem if not required
  hw/usb/host-stub: Remove unused header

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index bbb8274344..2a895a73b0 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
                                            MTPObject *o)
 {
     MTPData *d = usb_mtp_data_alloc(c);
-    uint32_t i = 0, handles[o->nchildren];
+    uint32_t i = 0;
+    g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
     MTPObject *iter;
 
     trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);