diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2025-02-28 17:47:59 +0000 |
|---|---|---|
| committer | Philippe Mathieu-Daudé <philmd@linaro.org> | 2025-03-11 20:01:27 +0100 |
| commit | 2fa3a5b9469615d06091cf473d172794148e1248 (patch) | |
| tree | 4bf93381adb05ea5e769cb4db1bbee3e2e57fc3f /rust/qemu-api/src | |
| parent | 822405b1fea4f0f404df418bd70da0588b9207ce (diff) | |
| download | qemu-2fa3a5b9469615d06091cf473d172794148e1248.zip qemu-2fa3a5b9469615d06091cf473d172794148e1248.tar.gz qemu-2fa3a5b9469615d06091cf473d172794148e1248.tar.bz2 | |
hw/net/smc91c111: Sanitize packet numbers
The smc91c111 uses packet numbers as an index into its internal
s->data[][] array. Valid packet numbers are between 0 and 3, but
the code does not generally check this, and there are various
places where the guest can hand us an arbitrary packet number
and cause an out-of-bounds access to the data array.
Add validation of packet numbers. The datasheet is not very
helpful about how guest errors like this should be handled:
it says nothing on the subject, and none of the documented
error conditions are relevant. We choose to log the situation
with LOG_GUEST_ERROR and silently ignore the attempted operation.
In the places where we are about to access the data[][] array
using a packet number and we know the number is valid because
we got it from somewhere that has already validated, we add
an assert() to document that belief.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250228174802.1945417-2-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Diffstat (limited to 'rust/qemu-api/src')
0 files changed, 0 insertions, 0 deletions