From 9bbdbc66e5765068dce76e9269dce4547afd8ad4 Mon Sep 17 00:00:00 2001 From: P J P Date: Tue, 15 Sep 2015 16:40:49 +0530 Subject: net: add checks to validate ring buffer pointers(CVE-2015-5279) Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, which could lead to a memory buffer overflow. Added other checks at initialisation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi --- hw/net/ne2000.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'hw/net/ne2000.c') diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 53c704a..3798a3b 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) } index = s->curpag << 8; + if (index >= NE2000_PMEM_END) { + index = s->start; + } /* 4 bytes for header */ total_len = size + 4; /* address for next packet (4 bytes for CRC) */ @@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) offset = addr | (page << 4); switch(offset) { case EN0_STARTPG: - s->start = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->start = val << 8; + } break; case EN0_STOPPG: - s->stop = val << 8; + if (val << 8 <= NE2000_PMEM_END) { + s->stop = val << 8; + } break; case EN0_BOUNDARY: - s->boundary = val; + if (val << 8 < NE2000_PMEM_END) { + s->boundary = val; + } break; case EN0_IMR: s->imr = val; @@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) s->phys[offset - EN1_PHYS] = val; break; case EN1_CURPAG: - s->curpag = val; + if (val << 8 < NE2000_PMEM_END) { + s->curpag = val; + } break; case EN1_MULT ... EN1_MULT + 7: s->mult[offset - EN1_MULT] = val; -- cgit v1.1