hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

Message ID BLU436-SMTP98842C445B9A4E4B033261DB1C0@phx.gbl
State New
Headers show

Commit Message

chaojianhu Aug. 9, 2016, 3:52 a.m.
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>

---
 hw/net/xilinx_ethlite.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Jason Wang Aug. 9, 2016, 7:26 a.m. | #1
On 2016年08月09日 11:52, chaojianhu wrote:
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
>
> ---
>   hw/net/xilinx_ethlite.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..35de353 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
>       }
>   
>       D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
> +    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
> +        D(qemu_log("ethlite packet is too big, size=%x\n", size));
> +        return -1;
> +    }
>       memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>   
>       s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

Applied, thanks.

Patch

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..35de353 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@  static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
     }
 
     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
+        return -1;
+    }
     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
 
     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;