aboutsummaryrefslogtreecommitdiff
path: root/nbd
diff options
context:
space:
mode:
authorCédric Le Goater <clg@kaod.org>2020-09-01 14:21:50 +0200
committerCédric Le Goater <clg@kaod.org>2020-09-01 14:21:50 +0200
commitc2ab73fcbe79e0c751ab44cb6f42672f37a060e7 (patch)
tree58bb832393e4e57e5bc8d69912b1a6dd51d1f097 /nbd
parentaf6d66e23557a36491a06857a447d016f6cf9f33 (diff)
downloadqemu-c2ab73fcbe79e0c751ab44cb6f42672f37a060e7.zip
qemu-c2ab73fcbe79e0c751ab44cb6f42672f37a060e7.tar.gz
qemu-c2ab73fcbe79e0c751ab44cb6f42672f37a060e7.tar.bz2
ftgmac100: Fix integer overflow in ftgmac100_do_tx()
When inserting the VLAN tag in packets, memmove() can generate an integer overflow for packets whose length is less than 12 bytes. Move the VLAN insertion when the last segment of the frame is reached and check length against the size of the ethernet header (14 bytes) to avoid the crash. Return FTGMAC100_INT_XPKT_LOST status if the frame is too small. This seems like a good modeling choice even if Aspeed does not specify anything in that case. Cc: Frederic Konrad <konrad.frederic@yahoo.fr> Cc: Mauro Matteo Cascella <mcascell@redhat.com> Reported-by: Ziming Zhang <ezrakiez@gmail.com> Message-Id: <20200819100956.2216690-15-clg@kaod.org> Signed-off-by: Cédric Le Goater <clg@kaod.org>
Diffstat (limited to 'nbd')
0 files changed, 0 insertions, 0 deletions