* [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size
@ 2020-11-20 3:11 alfred gedeon
2020-11-20 4:08 ` [Bug 1904954] " alfred gedeon
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: alfred gedeon @ 2020-11-20 3:11 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Thanks,
Alfred
** Affects: qemu
Importance: Undecided
Status: New
** Tags: ethernet lan lan9118 netwroking
** Description changed:
- peeked message is not equal to read message
-
+ peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Thanks,
Alfred
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeking receive massage size not equal to received message
size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeking receive massage size not equal to received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
@ 2020-11-20 4:08 ` alfred gedeon
2020-12-23 6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2020-11-20 4:08 UTC (permalink / raw)
To: qemu-devel
** Description changed:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
+ Could also be a security bug, as the user could allocate a buffer of
+ size peeked data smaller than the actual packet received, which could
+ cause a buffer overflow and its attaks.
+
Thanks,
Alfred
** Description changed:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
- cause a buffer overflow and its attaks.
+ cause a buffer overflow.
Thanks,
Alfred
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeking receive massage size not equal to received message
size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
2020-11-20 4:08 ` [Bug 1904954] " alfred gedeon
@ 2020-12-23 6:15 ` alfred gedeon
2021-01-08 17:27 ` Peter Maydell
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2020-12-23 6:15 UTC (permalink / raw)
To: qemu-devel
** Summary changed:
- lan9118 bug peeking receive massage size not equal to received message size
+ lan9118 bug peeked received message size not equal to actual received message size
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
2020-11-20 4:08 ` [Bug 1904954] " alfred gedeon
2020-12-23 6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
@ 2021-01-08 17:27 ` Peter Maydell
2021-01-08 17:30 ` Peter Maydell
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 17:27 UTC (permalink / raw)
To: qemu-devel
Do you have a test case that will reproduce this bug ?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (2 preceding siblings ...)
2021-01-08 17:27 ` Peter Maydell
@ 2021-01-08 17:30 ` Peter Maydell
2021-01-08 18:08 ` Peter Maydell
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 17:30 UTC (permalink / raw)
To: qemu-devel
(The line of code you point out is pretty clearly wrong; it would just
be nice to have a test case to confirm that the obvious fix works.)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (3 preceding siblings ...)
2021-01-08 17:30 ` Peter Maydell
@ 2021-01-08 18:08 ` Peter Maydell
2021-01-08 19:06 ` Peter Maydell
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 18:08 UTC (permalink / raw)
To: qemu-devel
This patchset should fix this bug:
https://patchew.org/QEMU/20210108180401.2263-1-peter.maydell@linaro.org/
PS: this isn't a security issue because the lan9118 is used only on
board models that can't run under KVM and so it is not on QEMU's
security boundary.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
New
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (4 preceding siblings ...)
2021-01-08 18:08 ` Peter Maydell
@ 2021-01-08 19:06 ` Peter Maydell
2021-01-08 23:54 ` alfred gedeon
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-08 19:06 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: New => In Progress
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
In Progress
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (5 preceding siblings ...)
2021-01-08 19:06 ` Peter Maydell
@ 2021-01-08 23:54 ` alfred gedeon
2021-01-15 16:13 ` Peter Maydell
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: alfred gedeon @ 2021-01-08 23:54 UTC (permalink / raw)
To: qemu-devel
We do have some code, that is giving different results, between the
peeked and the actual:
https://github.com/FreeRTOS/FreeRTOS-Plus-
TCP/blob/9a25860e761036a9eb780799c9db632e3eff60c9/portable/NetworkInterface/MPS2_AN385/NetworkInterface.c#L237
We also have a fix to circumvent the problem by just reading the actual
size and omit the peeked bytes.
https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/pull/142
changing the code i pointed locally worked fine, but we can't expect all
our users to compile qemu from scratch and apply a patch
Alfred
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
In Progress
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (6 preceding siblings ...)
2021-01-08 23:54 ` alfred gedeon
@ 2021-01-15 16:13 ` Peter Maydell
2021-04-29 10:45 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
9 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2021-01-15 16:13 UTC (permalink / raw)
To: qemu-devel
Fix now in master: commit e7e29fdbbe07f.
** Changed in: qemu
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
Fix Committed
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (7 preceding siblings ...)
2021-01-15 16:13 ` Peter Maydell
@ 2021-04-29 10:45 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
9 siblings, 0 replies; 11+ messages in thread
From: Thomas Huth @ 2021-04-29 10:45 UTC (permalink / raw)
To: qemu-devel
** Tags removed: netwroking
** Tags added: networking
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
Fix Committed
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual received message size
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
` (8 preceding siblings ...)
2021-04-29 10:45 ` Thomas Huth
@ 2021-04-30 7:18 ` Thomas Huth
9 siblings, 0 replies; 11+ messages in thread
From: Thomas Huth @ 2021-04-30 7:18 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904954
Title:
lan9118 bug peeked received message size not equal to actual received
message size
Status in QEMU:
Fix Released
Bug description:
peeked message size is not equal to read message size
Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209
s->tx_status_fifo_head should be s->rx_status_fifo_head
Could also be a security bug, as the user could allocate a buffer of
size peeked data smaller than the actual packet received, which could
cause a buffer overflow.
Thanks,
Alfred
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904954/+subscriptions
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-04-30 7:30 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-20 3:11 [Bug 1904954] [NEW] lan9118 bug peeking receive massage size not equal to received message size alfred gedeon
2020-11-20 4:08 ` [Bug 1904954] " alfred gedeon
2020-12-23 6:15 ` [Bug 1904954] Re: lan9118 bug peeked received message size not equal to actual " alfred gedeon
2021-01-08 17:27 ` Peter Maydell
2021-01-08 17:30 ` Peter Maydell
2021-01-08 18:08 ` Peter Maydell
2021-01-08 19:06 ` Peter Maydell
2021-01-08 23:54 ` alfred gedeon
2021-01-15 16:13 ` Peter Maydell
2021-04-29 10:45 ` Thomas Huth
2021-04-30 7:18 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).