[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2] net: smc91c111: check packet number and data reg
From: |
P J P |
Subject: |
[Qemu-devel] [PATCH v2] net: smc91c111: check packet number and data register index |
Date: |
Wed, 26 Oct 2016 17:47:33 +0530 |
From: Prasad J Pandit <address@hidden>
SMSC91C111 Ethernet interface emulator has registers to store
'packet number' and a 'pointer' to Tx/Rx FIFO buffer area.
These two are used to derive an address to access into 'data'
registers. If they are set incorrectly, they could lead to an
OOB r/w access beyond packet 'data' area. Add check to avoid it.
Reported-by: Azure Yang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/smc91c111.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
Update per:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg06108.html
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 3b16dcf..f9698ca 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -418,7 +418,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
/* Ignore. */
return;
case 2: /* Packet Number Register */
- s->packet_num = value;
+ s->packet_num = value & 0x03F;
return;
case 3: case 4: case 5:
/* Should be readonly, but linux writes to them anyway. Ignore. */
@@ -438,13 +438,16 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
n = s->rx_fifo[0];
else
n = s->packet_num;
- p = s->ptr & 0x07ff;
+ p = s->ptr;
if (s->ptr & 0x4000) {
s->ptr = (s->ptr & 0xf800) | ((s->ptr + 1) & 0x7ff);
} else {
p += (offset & 3);
}
- s->data[n][p] = value;
+ p &= 0x07ff;
+ if (n < NUM_PACKETS && n & s->allocated) {
+ s->data[n][p] = value;
+ }
}
return;
case 12: /* Interrupt ACK. */
@@ -584,13 +587,17 @@ static uint32_t smc91c111_readb(void *opaque, hwaddr
offset)
n = s->rx_fifo[0];
else
n = s->packet_num;
- p = s->ptr & 0x07ff;
+ p = s->ptr;
if (s->ptr & 0x4000) {
s->ptr = (s->ptr & 0xf800) | ((s->ptr + 1) & 0x07ff);
} else {
p += (offset & 3);
}
- return s->data[n][p];
+ p &= 0x07ff;
+ if (n < NUM_PACKETS && n & s->allocated) {
+ return s->data[n][p];
+ }
+ return 0;
}
case 12: /* Interrupt status. */
return s->int_level;
--
2.7.4
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [PATCH v2] net: smc91c111: check packet number and data register index,
P J P <=