From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: qemu-stable@nongnu.org, qemu-devel@nongnu.org,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
Date: Mon, 30 Nov 2015 12:46:49 +0200 [thread overview]
Message-ID: <20151130124642-mutt-send-email-mst@redhat.com> (raw)
In-Reply-To: <1448869103-16281-2-git-send-email-jasowang@redhat.com>
On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote:
> Backends could provide a packet whose length is greater than buffer
> size. Check for this and truncate the packet to avoid rx buffer
> overflow in this case.
>
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> hw/net/pcnet.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 309c40b..1f4a3db 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
> int pktcount = 0;
>
> if (!s->looptest) {
> + if (size > 4092) {
> +#ifdef PCNET_DEBUG_RMD
> + fprintf(stderr, "pcnet: truncates rx packet.\n");
> +#endif
> + size = 4092;
> + }
> memcpy(src, buf, size);
> /* no need to compute the CRC */
> src[size] = 0;
> --
> 2.5.0
>
next prev parent reply other threads:[~2015-11-30 10:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 7:38 [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Jason Wang
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
2015-11-30 10:46 ` Michael S. Tsirkin [this message]
2015-12-01 5:06 ` Jason Wang
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
2015-12-01 5:05 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151130124642-mutt-send-email-mst@redhat.com \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.