aboutsummaryrefslogtreecommitdiff
path: root/hw/ne2000.c
diff options
context:
space:
mode:
authorths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>2007-06-25 13:47:44 +0000
committerths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>2007-06-25 13:47:44 +0000
commit0ae045ae439ad83692ad039a554f7d62acf9de5c (patch)
tree79a7aab2d9eec4e60c7ad8665e7e4515500af7e9 /hw/ne2000.c
parentaec62507bb6a14b02575f40ec84f617b935043d3 (diff)
downloadqemu-0ae045ae439ad83692ad039a554f7d62acf9de5c.zip
qemu-0ae045ae439ad83692ad039a554f7d62acf9de5c.tar.gz
qemu-0ae045ae439ad83692ad039a554f7d62acf9de5c.tar.bz2
Insufficient input validation in NE2000 card, written by Tavis Ormandy,
contributed by Aurelien Jarno. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3019 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'hw/ne2000.c')
-rw-r--r--hw/ne2000.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 1625c55..6d5aa56 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -224,7 +224,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -293,7 +293,10 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;