From patchwork Mon Jan 23 13:32:15 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anthony Liguori X-Patchwork-Id: 137356 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id CAC2A1007D4 for ; Tue, 24 Jan 2012 00:32:27 +1100 (EST) Received: from localhost ([::1]:38776 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RpK0W-00027h-V4 for incoming@patchwork.ozlabs.org; Mon, 23 Jan 2012 08:32:24 -0500 Received: from eggs.gnu.org ([140.186.70.92]:34397) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RpK0Q-00027c-VN for qemu-devel@nongnu.org; Mon, 23 Jan 2012 08:32:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RpK0Q-0000ep-33 for qemu-devel@nongnu.org; Mon, 23 Jan 2012 08:32:18 -0500 Received: from cpe-70-123-132-139.austin.res.rr.com ([70.123.132.139]:35433 helo=localhost6.localdomain6) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RpK0P-0000ei-RY for qemu-devel@nongnu.org; Mon, 23 Jan 2012 08:32:18 -0500 Received: from localhost6.localdomain6 (localhost.localdomain [127.0.0.1]) by localhost6.localdomain6 (8.14.4/8.14.4/Debian-2ubuntu1) with ESMTP id q0NDWGtn003214; Mon, 23 Jan 2012 07:32:16 -0600 Received: (from anthony@localhost) by localhost6.localdomain6 (8.14.4/8.14.4/Submit) id q0NDWFOn003212; Mon, 23 Jan 2012 07:32:15 -0600 From: Anthony Liguori To: qemu-devel@nongnu.org Date: Mon, 23 Jan 2012 07:32:15 -0600 Message-Id: <1327325535-3177-1-git-send-email-aliguori@us.ibm.com> X-Mailer: git-send-email 1.7.4.1 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 70.123.132.139 Cc: Anthony Liguori Subject: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Otherwise we can write beyond the buffer and corrupt memory. This is tracked as CVE-2012-0029. Signed-off-by: Anthony Liguori --- hw/e1000.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/hw/e1000.c b/hw/e1000.c index a29c944..86c5416 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) bytes = split_size; if (tp->size + bytes > msh) bytes = msh - tp->size; + + bytes = MIN(sizeof(tp->data) - tp->size, bytes); pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) memmove(tp->header, tp->data, hdr); @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentaion Error\n"); } else { + split_size = MIN(sizeof(tp->data) - tp->size, split_size); pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); tp->size += split_size; }