From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53023)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alistair23@gmail.com>) id 1bXGFe-0005X4-Ar
	for qemu-devel@nongnu.org; Tue, 09 Aug 2016 19:16:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alistair23@gmail.com>) id 1bXGFc-0006zL-7e
	for qemu-devel@nongnu.org; Tue, 09 Aug 2016 19:16:01 -0400
Received: from mail-oi0-x244.google.com ([2607:f8b0:4003:c06::244]:34775)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alistair23@gmail.com>) id 1bXGFc-0006zH-2o
	for qemu-devel@nongnu.org; Tue, 09 Aug 2016 19:16:00 -0400
Received: by mail-oi0-x244.google.com with SMTP id t127so2489946oie.1
	for <qemu-devel@nongnu.org>; Tue, 09 Aug 2016 16:16:00 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <1470728073-30141-4-git-send-email-jasowang@redhat.com>
References: <1470728073-30141-1-git-send-email-jasowang@redhat.com>
	<1470728073-30141-4-git-send-email-jasowang@redhat.com>
From: Alistair Francis <alistair23@gmail.com>
Date: Tue, 9 Aug 2016 16:15:29 -0700
Message-ID: <CAKmqyKMf6oS8_3aQeRiKFjTpGBHYi9GO=BonaJ5Y8xe6Y49H2Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in
 xlnx.xps-ethernetlite
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jason Wang <jasowang@redhat.com>
Cc: "qemu-devel@nongnu.org Developers" <qemu-devel@nongnu.org>, Peter Maydell <peter.maydell@linaro.org>, chaojianhu <chaojianhu@hotmail.com>

On Tue, Aug 9, 2016 at 12:34 AM, Jason Wang <jasowang@redhat.com> wrote:
> From: chaojianhu <chaojianhu@hotmail.com>
>
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
>  hw/net/xilinx_ethlite.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..35de353 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
>      }
>
>      D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));

This might be too late. A new line would be great here, but no big deal.

Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>

Thanks,

Alistair

> +    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
> +        D(qemu_log("ethlite packet is too big, size=%x\n", size));
> +        return -1;
> +    }
>      memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>
>      s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
> --
> 2.7.4
>
>