1 From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
2 From: P J P <pjp@fedoraproject.org>
3 Date: Tue, 15 Sep 2015 16:40:49 +0530
4 Subject: [PATCH] net: add checks to validate ring buffer pointers
6 Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
7 bytes to process network packets. While receiving packets
8 via ne2000_receive() routine, a local 'index' variable
9 could exceed the ring buffer size, which could lead to a
10 memory buffer overflow. Added other checks at initialisation.
12 Reported-by: Qinghao Tang <luodalongde@gmail.com>
13 Signed-off-by: P J P <pjp@fedoraproject.org>
14 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
15 (cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
16 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
18 hw/net/ne2000.c | 19 +++++++++++++++----
19 1 files changed, 15 insertions(+), 4 deletions(-)
21 diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
22 index 3492db3..9278571 100644
25 @@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
28 index = s->curpag << 8;
29 + if (index >= NE2000_PMEM_END) {
32 /* 4 bytes for header */
34 /* address for next packet (4 bytes for CRC) */
35 @@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
36 offset = addr | (page << 4);
39 - s->start = val << 8;
40 + if (val << 8 <= NE2000_PMEM_END) {
41 + s->start = val << 8;
46 + if (val << 8 <= NE2000_PMEM_END) {
52 + if (val << 8 < NE2000_PMEM_END) {
58 @@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
59 s->phys[offset - EN1_PHYS] = val;
63 + if (val << 8 < NE2000_PMEM_END) {
67 case EN1_MULT ... EN1_MULT + 7:
68 s->mult[offset - EN1_MULT] = val;