]>
Commit | Line | Data |
---|---|---|
08f20d79 WB |
1 | From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001 |
2 | From: P J P <pjp@fedoraproject.org> | |
3 | Date: Tue, 15 Sep 2015 16:40:49 +0530 | |
4 | Subject: [PATCH] net: add checks to validate ring buffer pointers | |
5 | ||
6 | Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) | |
7 | bytes to process network packets. While receiving packets | |
8 | via ne2000_receive() routine, a local 'index' variable | |
9 | could exceed the ring buffer size, which could lead to a | |
10 | memory buffer overflow. Added other checks at initialisation. | |
11 | ||
12 | Reported-by: Qinghao Tang <luodalongde@gmail.com> | |
13 | Signed-off-by: P J P <pjp@fedoraproject.org> | |
14 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | |
15 | (cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) | |
16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | |
17 | --- | |
18 | hw/net/ne2000.c | 19 +++++++++++++++---- | |
19 | 1 files changed, 15 insertions(+), 4 deletions(-) | |
20 | ||
21 | diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c | |
22 | index 3492db3..9278571 100644 | |
23 | --- a/hw/net/ne2000.c | |
24 | +++ b/hw/net/ne2000.c | |
25 | @@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) | |
26 | } | |
27 | ||
28 | index = s->curpag << 8; | |
29 | + if (index >= NE2000_PMEM_END) { | |
30 | + index = s->start; | |
31 | + } | |
32 | /* 4 bytes for header */ | |
33 | total_len = size + 4; | |
34 | /* address for next packet (4 bytes for CRC) */ | |
35 | @@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) | |
36 | offset = addr | (page << 4); | |
37 | switch(offset) { | |
38 | case EN0_STARTPG: | |
39 | - s->start = val << 8; | |
40 | + if (val << 8 <= NE2000_PMEM_END) { | |
41 | + s->start = val << 8; | |
42 | + } | |
43 | break; | |
44 | case EN0_STOPPG: | |
45 | - s->stop = val << 8; | |
46 | + if (val << 8 <= NE2000_PMEM_END) { | |
47 | + s->stop = val << 8; | |
48 | + } | |
49 | break; | |
50 | case EN0_BOUNDARY: | |
51 | - s->boundary = val; | |
52 | + if (val << 8 < NE2000_PMEM_END) { | |
53 | + s->boundary = val; | |
54 | + } | |
55 | break; | |
56 | case EN0_IMR: | |
57 | s->imr = val; | |
58 | @@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) | |
59 | s->phys[offset - EN1_PHYS] = val; | |
60 | break; | |
61 | case EN1_CURPAG: | |
62 | - s->curpag = val; | |
63 | + if (val << 8 < NE2000_PMEM_END) { | |
64 | + s->curpag = val; | |
65 | + } | |
66 | break; | |
67 | case EN1_MULT ... EN1_MULT + 7: | |
68 | s->mult[offset - EN1_MULT] = val; | |
69 | -- | |
70 | 1.7.0.4 | |
71 |