Message ID | BLU436-SMTP98842C445B9A4E4B033261DB1C0@phx.gbl |
---|---|
State | New |
Headers | show |
On 2016年08月09日 11:52, chaojianhu wrote: > The .receive callback of xlnx.xps-ethernetlite doesn't check the length > of data before calling memcpy. As a result, the NetClientState object in > heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite > will be affected. > > Reported-by: chaojianhu <chaojianhu@hotmail.com> > Signed-off-by: chaojianhu <chaojianhu@hotmail.com> > > --- > hw/net/xilinx_ethlite.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c > index 54db2b8..35de353 100644 > --- a/hw/net/xilinx_ethlite.c > +++ b/hw/net/xilinx_ethlite.c > @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) > } > > D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); > + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { > + D(qemu_log("ethlite packet is too big, size=%x\n", size)); > + return -1; > + } > memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); > > s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; Applied, thanks.
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c index 54db2b8..35de353 100644 --- a/hw/net/xilinx_ethlite.c +++ b/hw/net/xilinx_ethlite.c @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) } D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { + D(qemu_log("ethlite packet is too big, size=%x\n", size)); + return -1; + } memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: chaojianhu <chaojianhu@hotmail.com> --- hw/net/xilinx_ethlite.c | 4 ++++ 1 file changed, 4 insertions(+)