summaryrefslogtreecommitdiff
path: root/hw/net/pcnet.c
diff options
context:
space:
mode:
authorPetr Matousek <pmatouse@redhat.com>2015-05-24 10:53:44 +0200
committerStefan Hajnoczi <stefanha@redhat.com>2015-06-10 15:03:02 +0100
commit9f7c594c006289ad41169b854d70f5da6e400a2a (patch)
treec0ec35dc415f0ae1f0306b1dbc21b0d8668ba849 /hw/net/pcnet.c
parentb0411142f482df92717f8b4a3b746081a62b724f (diff)
downloadqemu-9f7c594c006289ad41169b854d70f5da6e400a2a.tar.gz
qemu-9f7c594c006289ad41169b854d70f5da6e400a2a.tar.bz2
qemu-9f7c594c006289ad41169b854d70f5da6e400a2a.zip
pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. Fix this by only allowing to queue maximum sizeof(buffer) bytes. This is CVE-2015-3209. [Fixed 3-space indentation to QEMU's 4-space coding standard. --Stefan] Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Matt Tait <matttait@google.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'hw/net/pcnet.c')
-rw-r--r--hw/net/pcnet.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f4ca..68b9981983 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+ Note: this is not what real hw does */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;