debian/patches/net-add-checks-to-validate-ring-buffer-pointers.patch

   1 From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
   2 From: P J P <pjp@fedoraproject.org>
   3 Date: Tue, 15 Sep 2015 16:40:49 +0530
   4 Subject: [PATCH] net: add checks to validate ring buffer pointers
   5
   6 Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
   7 bytes to process network packets. While receiving packets
   8 via ne2000_receive() routine, a local 'index' variable
   9 could exceed the ring buffer size, which could lead to a
  10 memory buffer overflow. Added other checks at initialisation.
  11
  12 Reported-by: Qinghao Tang <luodalongde@gmail.com>
  13 Signed-off-by: P J P <pjp@fedoraproject.org>
  14 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
  15 (cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
  16 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
  17 ---
  18  hw/net/ne2000.c |   19 +++++++++++++++----
  19  1 files changed, 15 insertions(+), 4 deletions(-)
  20
  21 diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
  22 index 3492db3..9278571 100644
  23 --- a/hw/net/ne2000.c
  24 +++ b/hw/net/ne2000.c
  25 @@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
  26      }
  27
  28      index = s->curpag << 8;
  29 +    if (index >= NE2000_PMEM_END) {
  30 +        index = s->start;
  31 +    }
  32      /* 4 bytes for header */
  33      total_len = size + 4;
  34      /* address for next packet (4 bytes for CRC) */
  35 @@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
  36          offset = addr | (page << 4);
  37          switch(offset) {
  38          case EN0_STARTPG:
  39 -            s->start = val << 8;
  40 +            if (val << 8 <= NE2000_PMEM_END) {
  41 +                s->start = val << 8;
  42 +            }
  43              break;
  44          case EN0_STOPPG:
  45 -            s->stop = val << 8;
  46 +            if (val << 8 <= NE2000_PMEM_END) {
  47 +                s->stop = val << 8;
  48 +            }
  49              break;
  50          case EN0_BOUNDARY:
  51 -            s->boundary = val;
  52 +            if (val << 8 < NE2000_PMEM_END) {
  53 +                s->boundary = val;
  54 +            }
  55              break;
  56          case EN0_IMR:
  57              s->imr = val;
  58 @@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
  59              s->phys[offset - EN1_PHYS] = val;
  60              break;
  61          case EN1_CURPAG:
  62 -            s->curpag = val;
  63 +            if (val << 8 < NE2000_PMEM_END) {
  64 +                s->curpag = val;
  65 +            }
  66              break;
  67          case EN1_MULT ... EN1_MULT + 7:
  68              s->mult[offset - EN1_MULT] = val;
  69 --
  70 1.7.0.4
  71