From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48689) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aQQpj-0007a7-Cj for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aQQpi-00005u-HX for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:52305) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aQQpi-00005q-Ca for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:46 -0500 From: Jason Wang Date: Tue, 2 Feb 2016 10:36:07 +0800 Message-Id: <1454380581-7881-4-git-send-email-jasowang@redhat.com> In-Reply-To: <1454380581-7881-1-git-send-email-jasowang@redhat.com> References: <1454380581-7881-1-git-send-email-jasowang@redhat.com> Subject: [Qemu-devel] [PULL 03/17] net: cadence_gem: check packet size in gem_recieve List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: peter.maydell@linaro.org, qemu-devel@nongnu.org Cc: Jason Wang , Prasad J Pandit From: Prasad J Pandit While receiving packets in 'gem_receive' routine, if Frame Check Sequence(FCS) is enabled, it copies the packet into a local buffer without checking its size. Add check to validate packet length against the buffer size to avoid buffer overflow. Reported-by: Ling Liu Signed-off-by: Prasad J Pandit Signed-off-by: Jason Wang --- hw/net/cadence_gem.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c index f9e4091..e513d9d 100644 --- a/hw/net/cadence_gem.c +++ b/hw/net/cadence_gem.c @@ -678,6 +678,10 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size) } else { unsigned crc_val; + if (size > sizeof(rxbuf) - sizeof(crc_val)) { + size = sizeof(rxbuf) - sizeof(crc_val); + } + bytes_to_copy = size; /* The application wants the FCS field, which QEMU does not provide. * We must try and calculate one. */ -- 2.5.0