From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50721) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a3Lyz-0005bK-D0 for qemu-devel@nongnu.org; Mon, 30 Nov 2015 05:46:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a3Lyu-0005aA-T0 for qemu-devel@nongnu.org; Mon, 30 Nov 2015 05:46:57 -0500 Date: Mon, 30 Nov 2015 12:46:49 +0200 From: "Michael S. Tsirkin" Message-ID: <20151130124642-mutt-send-email-mst@redhat.com> References: <1448869103-16281-1-git-send-email-jasowang@redhat.com> <1448869103-16281-2-git-send-email-jasowang@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1448869103-16281-2-git-send-email-jasowang@redhat.com> Subject: Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jason Wang Cc: qemu-stable@nongnu.org, qemu-devel@nongnu.org, Prasad J Pandit On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote: > Backends could provide a packet whose length is greater than buffer > size. Check for this and truncate the packet to avoid rx buffer > overflow in this case. > > Cc: Prasad J Pandit > Cc: qemu-stable@nongnu.org > Signed-off-by: Jason Wang Reviewed-by: Michael S. Tsirkin > --- > hw/net/pcnet.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c > index 309c40b..1f4a3db 100644 > --- a/hw/net/pcnet.c > +++ b/hw/net/pcnet.c > @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) > int pktcount = 0; > > if (!s->looptest) { > + if (size > 4092) { > +#ifdef PCNET_DEBUG_RMD > + fprintf(stderr, "pcnet: truncates rx packet.\n"); > +#endif > + size = 4092; > + } > memcpy(src, buf, size); > /* no need to compute the CRC */ > src[size] = 0; > -- > 2.5.0 >