qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethe


From: Alistair Francis
Subject: Re: [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
Date: Tue, 9 Aug 2016 16:15:29 -0700

On Tue, Aug 9, 2016 at 12:34 AM, Jason Wang <address@hidden> wrote:
> From: chaojianhu <address@hidden>
>
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <address@hidden>
> Signed-off-by: chaojianhu <address@hidden>
> Signed-off-by: Jason Wang <address@hidden>
> ---
>  hw/net/xilinx_ethlite.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..35de353 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t 
> *buf, size_t size)
>      }
>
>      D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));

This might be too late. A new line would be great here, but no big deal.

Reviewed-by: Alistair Francis <address@hidden>

Thanks,

Alistair

> +    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
> +        D(qemu_log("ethlite packet is too big, size=%x\n", size));
> +        return -1;
> +    }
>      memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>
>      s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
> --
> 2.7.4
>
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]