david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

Browse Source 
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
This commit is contained in:
chaojianhu 2016-08-09 11:52:54 +08:00 committed by Jason Wang
parent 6c352ca9b4
commit a0d1cbdacf
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hw/net/xilinx_ethlite.c
View File

@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
} }
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
D(qemu_log("ethlite packet is too big, size=%x\n", size));
return -1;
}
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;