From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50573)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1a3Lyn-0005DE-OL
	for qemu-devel@nongnu.org; Mon, 30 Nov 2015 05:46:46 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1a3Lyj-0005X8-6p
	for qemu-devel@nongnu.org; Mon, 30 Nov 2015 05:46:45 -0500
Date: Mon, 30 Nov 2015 12:46:38 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20151130124631-mutt-send-email-mst@redhat.com>
References: <1448869103-16281-1-git-send-email-jasowang@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1448869103-16281-1-git-send-email-jasowang@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to
 validate receive data size(CVE-2015-7504)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jason Wang <jasowang@redhat.com>
Cc: qemu-stable@nongnu.org, qemu-devel@nongnu.org, Prasad J Pandit <pjp@fedoraproject.org>

On Mon, Nov 30, 2015 at 03:38:22PM +0800, Jason Wang wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> In loopback mode, pcnet_receive routine appends CRC code to the
> receive buffer. If the data size given is same as the buffer size,
> the appended CRC code overwrites 4 bytes after s->buffer. Added a
> check to avoid that.
> 
> Reported by: Qinghao Tang <luodalongde@gmail.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> Signed-off-by: Jason Wang <jasowang@redhat.com>

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>

> ---
>  hw/net/pcnet.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 0eb3cc4..309c40b 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
>                  uint32_t fcs = ~0;
>                  uint8_t *p = src;
>  
> -                while (p != &src[size-4])
> +                while (p != &src[size])
>                      CRC(fcs, *p++);
>                  crc_err = (*(uint32_t *)p != htonl(fcs));
>              }
> @@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
>          bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
>  
>          /* if multi-tmd packet outsizes s->buffer then skip it silently.
> -           Note: this is not what real hw does */
> -        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
> +         * Note: this is not what real hw does.
> +         * Last four bytes of s->buffer are used to store CRC FCS code.
> +         */
> +        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
>              s->xmit_pos = -1;
>              goto txdone;
>          }
> -- 
> 2.5.0
>