36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
|
|
From: chaojianhu <chaojianhu@hotmail.com>
|
|
Date: Tue, 9 Aug 2016 11:52:54 +0800
|
|
Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
|
|
|
|
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
|
|
of data before calling memcpy. As a result, the NetClientState object in
|
|
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
|
|
will be affected.
|
|
|
|
Reported-by: chaojianhu <chaojianhu@hotmail.com>
|
|
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
---
|
|
hw/net/xilinx_ethlite.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
|
|
index bc846e7..12b7419 100644
|
|
--- a/hw/net/xilinx_ethlite.c
|
|
+++ b/hw/net/xilinx_ethlite.c
|
|
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
|
|
}
|
|
|
|
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
|
|
+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
|
|
+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
|
|
+ return -1;
|
|
+ }
|
|
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
|
|
|
|
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
|
|
--
|
|
2.1.4
|
|
|