hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
author: chaojianhu 2016-08-09 05:52:54 +0200
committer: Jason Wang 2016-08-09 09:27:18 +0200
commit: a0d1cbdacff5df4ded16b753b38fdd9da6092968 (patch)
tree: 6b8917d16c174baeb34e5dd8ceec838cdaf2dca2
parent: net: vmxnet3: check for device_active before write (diff)
download: qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.tar.gz
qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.tar.xz
qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b83bd..35de353b7c 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
     }
 
     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
+        return -1;
+    }
     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
 
     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
author	chaojianhu	2016-08-09 05:52:54 +0200
committer	Jason Wang	2016-08-09 09:27:18 +0200
commit	a0d1cbdacff5df4ded16b753b38fdd9da6092968 (patch)
tree	6b8917d16c174baeb34e5dd8ceec838cdaf2dca2
parent	net: vmxnet3: check for device_active before write (diff)
download	qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.tar.gz qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.tar.xz qemu-a0d1cbdacff5df4ded16b753b38fdd9da6092968.zip