|
From: | Jason Wang |
Subject: | Re: [Qemu-trivial] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite |
Date: | Tue, 9 Aug 2016 11:51:18 +0800 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 2016年08月09日 10:24, chaojianhu wrote:
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <address@hidden>
Patch looks correct. But as reported, please add Signed-off-by with your name and repost.
Thanks
--- hw/net/xilinx_ethlite.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c index 54db2b8..6d3eecc 100644 --- a/hw/net/xilinx_ethlite.c +++ b/hw/net/xilinx_ethlite.c @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) }D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) { + D(qemu_log("ethlite packet is too big, size=%x\n", size); + return -1; + } memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
[Prev in Thread] | Current Thread | [Next in Thread] |