]>
Commit | Line | Data |
---|---|---|
d37e80a3 WB |
1 | From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001 |
2 | From: chaojianhu <chaojianhu@hotmail.com> | |
3 | Date: Tue, 9 Aug 2016 11:52:54 +0800 | |
4 | Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite | |
5 | ||
6 | The .receive callback of xlnx.xps-ethernetlite doesn't check the length | |
7 | of data before calling memcpy. As a result, the NetClientState object in | |
8 | heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite | |
9 | will be affected. | |
10 | ||
11 | Reported-by: chaojianhu <chaojianhu@hotmail.com> | |
12 | Signed-off-by: chaojianhu <chaojianhu@hotmail.com> | |
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | |
14 | --- | |
15 | hw/net/xilinx_ethlite.c | 4 ++++ | |
16 | 1 file changed, 4 insertions(+) | |
17 | ||
18 | diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c | |
19 | index bc846e7..12b7419 100644 | |
20 | --- a/hw/net/xilinx_ethlite.c | |
21 | +++ b/hw/net/xilinx_ethlite.c | |
22 | @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) | |
23 | } | |
24 | ||
25 | D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); | |
26 | + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { | |
27 | + D(qemu_log("ethlite packet is too big, size=%x\n", size)); | |
28 | + return -1; | |
29 | + } | |
30 | memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); | |
31 | ||
32 | s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; | |
33 | -- | |
34 | 2.1.4 | |
35 |