From: Jason Wang <jasowang@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-stable@nongnu.org, qemu-devel@nongnu.org,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)
Date: Tue, 1 Dec 2015 13:05:27 +0800 [thread overview]
Message-ID: <565D2A97.10208@redhat.com> (raw)
In-Reply-To: <20151130124631-mutt-send-email-mst@redhat.com>
On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote:
> On Mon, Nov 30, 2015 at 03:38:22PM +0800, Jason Wang wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> In loopback mode, pcnet_receive routine appends CRC code to the
>> receive buffer. If the data size given is same as the buffer size,
>> the appended CRC code overwrites 4 bytes after s->buffer. Added a
>> check to avoid that.
>>
>> Reported by: Qinghao Tang <luodalongde@gmail.com>
>> Cc: qemu-stable@nongnu.org
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Applied to my -net. Thanks
>> ---
>> hw/net/pcnet.c | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
>> index 0eb3cc4..309c40b 100644
>> --- a/hw/net/pcnet.c
>> +++ b/hw/net/pcnet.c
>> @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
>> uint32_t fcs = ~0;
>> uint8_t *p = src;
>>
>> - while (p != &src[size-4])
>> + while (p != &src[size])
>> CRC(fcs, *p++);
>> crc_err = (*(uint32_t *)p != htonl(fcs));
>> }
>> @@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
>> bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
>>
>> /* if multi-tmd packet outsizes s->buffer then skip it silently.
>> - Note: this is not what real hw does */
>> - if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
>> + * Note: this is not what real hw does.
>> + * Last four bytes of s->buffer are used to store CRC FCS code.
>> + */
>> + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
>> s->xmit_pos = -1;
>> goto txdone;
>> }
>> --
>> 2.5.0
>>
prev parent reply other threads:[~2015-12-01 5:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 7:38 [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Jason Wang
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
2015-11-30 10:46 ` Michael S. Tsirkin
2015-12-01 5:06 ` Jason Wang
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
2015-12-01 5:05 ` Jason Wang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565D2A97.10208@redhat.com \
--to=jasowang@redhat.com \
--cc=mst@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.