[Qemu-devel] [PATCH 1/2] net: stellaris_enet: check packet length against receive buffer

[Qemu-devel] [PATCH 1/2] net: stellaris_enet: check packet length against receive buffer

[P J P]

From: Prasad J Pandit <pjp@fedoraproject.org>

When receiving packets over Stellaris ethernet controller, it
uses receive buffer of size 2048 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/stellaris_enet.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 21a4773..47b869a 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -237,6 +237,9 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
         n -= 31;
     s->np++;
 
+    if (size >= sizeof(s->rx[n].data) - 6) {
+        return -1;
+    }
     s->rx[n].len = size + 6;
     p = s->rx[n].data;
     *(p++) = (size + 6);
-- 
2.5.5

Re: [Qemu-devel] [PATCH 1/2] net: stellaris_enet: check packet length against receive buffer

[Peter Maydell]

On 7 April 2016 at 11:25, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When receiving packets over Stellaris ethernet controller, it
> uses receive buffer of size 2048 bytes. In case the controller
> accepts large(MTU) packets, it could lead to memory corruption.
> Add check to avoid it.
>
> Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/stellaris_enet.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
> index 21a4773..47b869a 100644
> --- a/hw/net/stellaris_enet.c
> +++ b/hw/net/stellaris_enet.c
> @@ -237,6 +237,9 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
>          n -= 31;
>      s->np++;

We should do this check before we increase s->np, because
if we're going to bail out then we won't be putting this
packet into the RX FIFO.

> +    if (size >= sizeof(s->rx[n].data) - 6) {
> +        return -1;
> +    }

The datasheet for this chip says that we should report this
to the guest:

"For the Ethernet Controller, data sent/received can be larger
than 1500 bytes without causing a Frame Too Long error. Instead,
a FIFO overrun error is reported using the FOV bit in the
Ethernet MAC Raw Interrupt Status (MACRIS) register when the
frame received is too large to fit in the Ethernet Controller's
2K RAM."
So you want something like:

   /* If the packet won't fit into the emulated 2K RAM, this
    * is reported as a FIFO overrun error.
    */
   s->ris |= SE_INT_FOV;
   stellaris_enet_update(s);
   return -1;


thanks
-- PMM

Re: [Qemu-devel] [PATCH 1/2] net: stellaris_enet: check packet length against receive buffer

[P J P]

+-- On Thu, 7 Apr 2016, Peter Maydell wrote --+
| >          n -= 31;
| >      s->np++;
| 
| We should do this check before we increase s->np, because
| if we're going to bail out then we won't be putting this
| packet into the RX FIFO.

  Ah, right.

| The datasheet for this chip says that we should report this
| to the guest:
| 
| "For the Ethernet Controller, data sent/received can be larger
| than 1500 bytes without causing a Frame Too Long error. Instead,
| a FIFO overrun error is reported using the FOV bit in the
| Ethernet MAC Raw Interrupt Status (MACRIS) register when the
| frame received is too large to fit in the Ethernet Controller's
| 2K RAM."
| So you want something like:
| 
|    /* If the packet won't fit into the emulated 2K RAM, this
|     * is reported as a FIFO overrun error.
|     */
|    s->ris |= SE_INT_FOV;
|    stellaris_enet_update(s);
|    return -1;

  Okay. I have sent a revised patch v2, with these updates.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F