e1000: fix access 4 bytes beyond buffer end

We do range check for size, and get size as buffer, but copy size + 4 bytes (4 is for FCS). Let's copy size bytes but put size + 4 in length. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com>

e1000: fix access 4 bytes beyond buffer end
We do range check for size, and get size as buffer, but copy size + 4 bytes (4 is for FCS). Let's copy size bytes but put size + 4 in length. Signed-off-by: N Michael S. Tsirkin <mst@redhat.com>
b0b90007 · Michael S. Tsirkin · d67eb20f · b0b90007
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

hw/e1000.c hw/e1000.c +1 -2

未找到文件。
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -649,7 +649,6 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
    }

    rdh_start = s->mac_reg[RDH];
-    size += 4; // for the header
    do {
        if (s->mac_reg[RDH] == s->mac_reg[RDT] && s->check_rxov) {
            set_ics(s, 0, E1000_ICS_RXO);
@@ -663,7 +662,7 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
        if (desc.buffer_addr) {
            cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr),
                                      (void *)(buf + vlan_offset), size);
-            desc.length = cpu_to_le16(size);
+            desc.length = cpu_to_le16(size + 4 /* for FCS */);
            desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM;
        } else // as per intel docs; skip descriptors with null buf addr
            DBGOUT(RX, "Null RX descriptor!!\n");