diff mbox

net: mipsnet: check packet length against buffer

Message ID 1460024762-14592-1-git-send-email-ppandit@redhat.com
State New
Headers show

Commit Message

Prasad Pandit April 7, 2016, 10:26 a.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

When receiving packets over MIPSnet network device, it uses
 receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/mipsnet.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Markus Armbruster April 7, 2016, 3:44 p.m. UTC | #1 
P J P <ppandit@redhat.com> writes:

> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When receiving packets over MIPSnet network device, it uses
>  receive buffer of size 1514 bytes. In case the controller
> accepts large(MTU) packets, it could lead to memory corruption.
> Add check to avoid it.
>
> Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/mipsnet.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
> index f261011..e134b31 100644
> --- a/hw/net/mipsnet.c
> +++ b/hw/net/mipsnet.c
> @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
>      if (!mipsnet_can_receive(nc))
>          return 0;
>  
> +    if (size >= sizeof(s->rx_buffer)) {
> +        return 0;
> +    }
>      s->busy = 1;
>  
>      /* Just accept everything. */

Prompted by Peter Maydell's review of the buddy patch to stellaris_enet:
What does the physical device do when it receives such a packet?
Prasad Pandit April 11, 2016, 7:37 a.m. UTC | #2 
+-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+
| P J P <ppandit@redhat.com> writes:
| 
| > --- a/hw/net/mipsnet.c
| > +++ b/hw/net/mipsnet.c
| > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
| >      if (!mipsnet_can_receive(nc))
| >          return 0;
| >  
| > +    if (size >= sizeof(s->rx_buffer)) {
| > +        return 0;
| > +    }
| >      s->busy = 1;
| 
| Prompted by Peter Maydell's review of the buddy patch to stellaris_enet: 
| What does the physical device do when it receives such a packet?

  I tried to find a device specification, but couldn't find any reference 
MIPSnet.

Jason, wdyt?
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Jason Wang April 11, 2016, 8:27 a.m. UTC | #3 
On 04/11/2016 03:37 PM, P J P wrote:
> +-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+
> | P J P <ppandit@redhat.com> writes:
> | 
> | > --- a/hw/net/mipsnet.c
> | > +++ b/hw/net/mipsnet.c
> | > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
> | >      if (!mipsnet_can_receive(nc))
> | >          return 0;
> | >  
> | > +    if (size >= sizeof(s->rx_buffer)) {
> | > +        return 0;
> | > +    }
> | >      s->busy = 1;
> | 
> | Prompted by Peter Maydell's review of the buddy patch to stellaris_enet: 
> | What does the physical device do when it receives such a packet?
>
>   I tried to find a device specification, but couldn't find any reference 
> MIPSnet.
>
> Jason, wdyt?

Can't find either. Looking at kernel driver git logs, the driver was
even removed since 2012 because it was not longer supported by MIPS.
Consider it indeed fixes a memory corruption, I tend to apply this first
for 2.6.

> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
Prasad Pandit April 11, 2016, 8:51 a.m. UTC | #4 
+-- On Mon, 11 Apr 2016, Jason Wang wrote --+
| Can't find either. Looking at kernel driver git logs, the driver was even 
| removed since 2012 because it was not longer supported by MIPS. Consider it 
| indeed fixes a memory corruption, I tend to apply this first for 2.6.

Okay, thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Jason Wang April 26, 2016, 7:16 a.m. UTC | #5 
On 04/07/2016 06:26 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When receiving packets over MIPSnet network device, it uses
>  receive buffer of size 1514 bytes. In case the controller
> accepts large(MTU) packets, it could lead to memory corruption.
> Add check to avoid it.
>
> Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/mipsnet.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
> index f261011..e134b31 100644
> --- a/hw/net/mipsnet.c
> +++ b/hw/net/mipsnet.c
> @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
>      if (!mipsnet_can_receive(nc))
>          return 0;
>  
> +    if (size >= sizeof(s->rx_buffer)) {
> +        return 0;
> +    }
>      s->busy = 1;
>  
>      /* Just accept everything. */

Apply to net-next.

Thanks
diff mbox

Patch

diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
index f261011..e134b31 100644
--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
@@ -82,6 +82,9 @@  static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
     if (!mipsnet_can_receive(nc))
         return 0;
 
+    if (size >= sizeof(s->rx_buffer)) {
+        return 0;
+    }
     s->busy = 1;
 
     /* Just accept everything. */