hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: N chaojianhu <chaojianhu@hotmail.com> Signed-off-by: N chaojianhu <chaojianhu@hotmail.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>

hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: N chaojianhu <chaojianhu@hotmail.com> Signed-off-by: N chaojianhu <chaojianhu@hotmail.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>
a0d1cbda · chaojianhu · Jason Wang · 6c352ca9 · a0d1cbda
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

hw/net/xilinx_ethlite.c hw/net/xilinx_ethlite.c +4 -0

未找到文件。
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
    }

    D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
+        return -1;
+    }
    memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);

    s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;