diff options
| author | Prasad J Pandit <pjp@fedoraproject.org> | 2020-03-24 22:57:22 +0530 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2020-06-22 12:52:33 -0500 |
| commit | fb6a24fb1ddee56433bd8452375c2790cf087883 (patch) | |
| tree | 61ee6a5118299b48cbb8f64a588b6375aec51c55 /hw/usb-net.c | |
| parent | 60c21aa0171f316ab9351951b9dbdd889ab70712 (diff) | |
| download | qemu-fb6a24fb1ddee56433bd8452375c2790cf087883.zip qemu-fb6a24fb1ddee56433bd8452375c2790cf087883.tar.gz qemu-fb6a24fb1ddee56433bd8452375c2790cf087883.tar.bz2 | |
net: tulip: check frame size and r/w data length
Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.
Limit iterations over descriptors to avoid potential infinite
loop issue in tulip_xmit_list_update.
Reported-by: Li Qiang <pangpei.lq@antfin.com>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 8ffb7265af64ec81748335ec8f20e7ab542c3850)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hw/usb-net.c')
0 files changed, 0 insertions, 0 deletions