qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-etherne

From: Jason Wang
Subject: Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
Date: Tue, 9 Aug 2016 11:51:18 +0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 


On 2016年08月09日 10:24, chaojianhu wrote:

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <address@hidden>
Patch looks correct. But as reported, please add Signed-off-by with your name and repost. 

Thanks



---
  hw/net/xilinx_ethlite.c | 4 ++++
  1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..6d3eecc 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t 
*buf, size_t size)
      }
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); 
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size);
+        return -1;
+    }
      memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]