[Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 card

[Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 card

[Aurelien Jarno]

>From Debian Security Announce:

  CVE-2007-1321
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321

  Tavis Ormandy discovered that the NE2000 network driver and the socket
  code perform insufficient input validation, which might allow the
  execution of arbitrary code through a heap overflow.

The patch below is the patch used by the Debian package to fix this.


Index: hw/ne2000.c
===================================================================
--- hw/ne2000.c.orig	2007-05-16 06:42:14.000000000 +0300
+++ hw/ne2000.c	2007-05-16 06:42:15.000000000 +0300
@@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque,
 {
     NE2000State *s = opaque;
     uint8_t *p;
-    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
     uint8_t buf1[60];
     static const uint8_t broadcast_macaddr[6] = 
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque,
 
     /* write packet data */
     while (size > 0) {
-        avail = s->stop - index;
+        /* taviso: this can wrap, so check its okay. */
+        if (index <= s->stop)
+            avail = s->stop - index;
+        else
+            avail = 0;
         len = size;
         if (len > avail)
             len = avail;


-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net