| Message ID | 1448869103-16281-2-git-send-email-jasowang@redhat.com |
|---|---|
| State | New |
| Headers | show |
On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote: > Backends could provide a packet whose length is greater than buffer > size. Check for this and truncate the packet to avoid rx buffer > overflow in this case. > > Cc: Prasad J Pandit <pjp@fedoraproject.org> > Cc: qemu-stable@nongnu.org > Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> > --- > hw/net/pcnet.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c > index 309c40b..1f4a3db 100644 > --- a/hw/net/pcnet.c > +++ b/hw/net/pcnet.c > @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) > int pktcount = 0; > > if (!s->looptest) { > + if (size > 4092) { > +#ifdef PCNET_DEBUG_RMD > + fprintf(stderr, "pcnet: truncates rx packet.\n"); > +#endif > + size = 4092; > + } > memcpy(src, buf, size); > /* no need to compute the CRC */ > src[size] = 0; > -- > 2.5.0 >
On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote: > On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote: >> Backends could provide a packet whose length is greater than buffer >> size. Check for this and truncate the packet to avoid rx buffer >> overflow in this case. >> >> Cc: Prasad J Pandit <pjp@fedoraproject.org> >> Cc: qemu-stable@nongnu.org >> Signed-off-by: Jason Wang <jasowang@redhat.com> > Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Applied to my -net. Thanks. > >> --- >> hw/net/pcnet.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c >> index 309c40b..1f4a3db 100644 >> --- a/hw/net/pcnet.c >> +++ b/hw/net/pcnet.c >> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) >> int pktcount = 0; >> >> if (!s->looptest) { >> + if (size > 4092) { >> +#ifdef PCNET_DEBUG_RMD >> + fprintf(stderr, "pcnet: truncates rx packet.\n"); >> +#endif >> + size = 4092; >> + } >> memcpy(src, buf, size); >> /* no need to compute the CRC */ >> src[size] = 0; >> -- >> 2.5.0 >>
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 309c40b..1f4a3db 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) int pktcount = 0; if (!s->looptest) { + if (size > 4092) { +#ifdef PCNET_DEBUG_RMD + fprintf(stderr, "pcnet: truncates rx packet.\n"); +#endif + size = 4092; + } memcpy(src, buf, size); /* no need to compute the CRC */ src[size] = 0;
Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> --- hw/net/pcnet.c | 6 ++++++ 1 file changed, 6 insertions(+)