1 From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001
2 From: Jason Wang <jasowang@redhat.com>
3 Date: Mon, 30 Nov 2015 15:00:06 +0800
4 Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
6 Backends could provide a packet whose length is greater than buffer
7 size. Check for this and truncate the packet to avoid rx buffer
10 Cc: Prasad J Pandit <pjp@fedoraproject.org>
11 Cc: qemu-stable@nongnu.org
12 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
13 Signed-off-by: Jason Wang <jasowang@redhat.com>
15 hw/net/pcnet.c | 6 ++++++
16 1 file changed, 6 insertions(+)
18 diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
19 index 309c40b..1f4a3db 100644
22 @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
27 +#ifdef PCNET_DEBUG_RMD
28 + fprintf(stderr, "pcnet: truncates rx packet.\n");
32 memcpy(src, buf, size);
33 /* no need to compute the CRC */