From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54321)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aQby4-0005FC-IC
	for qemu-devel@nongnu.org; Tue, 02 Feb 2016 09:30:14 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aQby0-0007kL-79
	for qemu-devel@nongnu.org; Tue, 02 Feb 2016 09:30:08 -0500
Received: from mx1.redhat.com ([209.132.183.28]:52461)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1aQby0-0007kG-1I
	for qemu-devel@nongnu.org; Tue, 02 Feb 2016 09:30:04 -0500
From: P J P <ppandit@redhat.com>
Date: Tue,  2 Feb 2016 19:59:52 +0530
Message-Id: <1454423392-7732-1-git-send-email-ppandit@redhat.com>
Subject: [Qemu-devel] [PATCH] net: ne2000: check ring buffer control
	registers
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers <qemu-devel@nongnu.org>
Cc: Yang Hongke <yanghongke@huawei.com>, Jason Wang <jasowang@redhat.com>, Prasad J Pandit <pjp@fedoraproject.org>

From: Prasad J Pandit <pjp@fedoraproject.org>

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. Four registers PSTART,
PSTOP, CURPAGE and BOUNDARY are used to control ring buffer
access. Setting these registers to invalid values could
lead to infinite loop or OOB r/w access issues. Add checks
to avoid it.

Reported-by: Yang Hongke <yanghongke@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/ne2000.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 9dd0c67..b032212 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -269,6 +269,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
 
 static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
 {
+    uint32_t v;
     NE2000State *s = opaque;
     int offset, page, index;
 
@@ -309,17 +310,20 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         offset = addr | (page << 4);
         switch(offset) {
         case EN0_STARTPG:
-            if (val << 8 <= NE2000_PMEM_END) {
-                s->start = val << 8;
+            v = val << 8;
+            if (v < NE2000_PMEM_END && v < s->stop) {
+                s->start = v;
             }
             break;
         case EN0_STOPPG:
-            if (val << 8 <= NE2000_PMEM_END) {
-                s->stop = val << 8;
+            v = val << 8;
+            if (v <= NE2000_PMEM_END && v > s->start) {
+                s->stop = v;
             }
             break;
         case EN0_BOUNDARY:
-            if (val << 8 < NE2000_PMEM_END) {
+            v = val << 8;
+            if (v >= s->start && v <= s->stop) {
                 s->boundary = val;
             }
             break;
@@ -362,7 +366,8 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             s->phys[offset - EN1_PHYS] = val;
             break;
         case EN1_CURPAG:
-            if (val << 8 < NE2000_PMEM_END) {
+            v = val << 8;
+            if (v >= s->start && v <= s->stop) {
                 s->curpag = val;
             }
             break;
-- 
2.5.0