aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2015-06-10 15:10:14 +0100
committerPeter Maydell <peter.maydell@linaro.org>2015-06-10 15:10:14 +0100
commite015fe008a3a8901913248cdb50c62dba795c588 (patch)
treec0ec35dc415f0ae1f0306b1dbc21b0d8668ba849
parentb0411142f482df92717f8b4a3b746081a62b724f (diff)
parent9f7c594c006289ad41169b854d70f5da6e400a2a (diff)
downloadqemu-e015fe008a3a8901913248cdb50c62dba795c588.zip
qemu-e015fe008a3a8901913248cdb50c62dba795c588.tar.gz
qemu-e015fe008a3a8901913248cdb50c62dba795c588.tar.bz2
Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into staging
# gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request: pcnet: force the buffer access to be in bounds during tx Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r--hw/net/pcnet.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f..68b9981 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+ Note: this is not what real hw does */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;