From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43311) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zoxaf-0004jB-Iy for qemu-devel@nongnu.org; Wed, 21 Oct 2015 13:54:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zoxaa-0006Fy-EV for qemu-devel@nongnu.org; Wed, 21 Oct 2015 13:54:21 -0400 Received: from e35.co.us.ibm.com ([32.97.110.153]:45331) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zoxaa-0006Fj-79 for qemu-devel@nongnu.org; Wed, 21 Oct 2015 13:54:16 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 21 Oct 2015 11:54:15 -0600 From: Michael Roth Date: Wed, 21 Oct 2015 12:51:43 -0500 Message-Id: <1445449930-23525-14-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1445449930-23525-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1445449930-23525-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 13/40] rtl8139: Fix receive buffer overflow check List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Vladislav Yasevich , qemu-stable@nongnu.org, Stefan Hajnoczi , Michael Roth From: Vladislav Yasevich rtl8139_do_receive() tries to check for the overflow condition by making sure that packet_size + 8 does not exceed the available buffer space. The issue here is that RxBuffAddr, used to calculate available buffer space, is aligned to a a 4 byte boundry after every update. So it is possible that every packet ends up being slightly padded when written to the receive buffer. This padding is not taken into account when checking for overflow and we may end up missing the overflow condition can causing buffer overwrite. This patch takes alignment into consideration when checking for overflow condition. Signed-off-by: Vladislav Yasevich Reviewed-by: Jason Wang Message-id: 1441121206-6997-2-git-send-email-vyasevic@redhat.com Signed-off-by: Stefan Hajnoczi (cherry picked from commit fabdcd3392f16fc666b1d04fc1bbe5f1dbbf10a4) Signed-off-by: Michael Roth --- hw/net/rtl8139.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index edbb61c..8a33466 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -1148,7 +1148,9 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t /* if receiver buffer is empty then avail == 0 */ - if (avail != 0 && size + 8 >= avail) +#define RX_ALIGN(x) (((x) + 3) & ~0x3) + + if (avail != 0 && RX_ALIGN(size + 8) >= avail) { DPRINTF("rx overflow: rx buffer length %d head 0x%04x " "read 0x%04x === available 0x%04x need 0x%04x\n", @@ -1176,7 +1178,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t rtl8139_write_buffer(s, (uint8_t *)&val, 4); /* correct buffer write pointer */ - s->RxBufAddr = MOD2((s->RxBufAddr + 3) & ~0x3, s->RxBufferSize); + s->RxBufAddr = MOD2(RX_ALIGN(s->RxBufAddr), s->RxBufferSize); /* now we can signal we have received something */ -- 1.9.1