From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38966)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aL01I-00063z-9N
	for qemu-devel@nongnu.org; Sun, 17 Jan 2016 21:58:17 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aL01H-0005iS-4Y
	for qemu-devel@nongnu.org; Sun, 17 Jan 2016 21:58:16 -0500
References: <1452841240-30377-1-git-send-email-ppandit@redhat.com>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <569C54B6.3010404@redhat.com>
Date: Mon, 18 Jan 2016 10:57:58 +0800
MIME-Version: 1.0
In-Reply-To: <1452841240-30377-1-git-send-email-ppandit@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] net: cadence_gem: check packet size in
	gem_recieve
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>
Cc: qemu-arm <qemu-arm@nongnu.org>, Prasad J Pandit <pjp@fedoraproject.org>, Ling Liu <liuling-it@360.cn>, "Michael S. Tsirkin" <mst@redhat.com>



On 01/15/2016 03:00 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While receiving packets in 'gem_receive' routine, if Frame Check
> Sequence(FCS) is enabled, it copies the packet into a local
> buffer without checking its size. Add check to validate packet
> length against the buffer size to avoid buffer overflow.
>
> Reported-by: Ling Liu <liuling-it@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/cadence_gem.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
> index 3639fc1..c3a273b 100644
> --- a/hw/net/cadence_gem.c
> +++ b/hw/net/cadence_gem.c
> @@ -677,10 +677,14 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size)
>      } else {
>          unsigned crc_val;
>  
> +        if (size > sizeof(rxbuf) - sizeof(crc_val)) {
> +            size = sizeof(rxbuf) - sizeof(crc_val);
> +        }
> +        bytes_to_copy = size;
> +
>          /* The application wants the FCS field, which QEMU does not provide.
>           * We must try and calculate one.
>           */
> -

Unnecessary whitespace change.

>          memcpy(rxbuf, buf, size);

We probably need more check, is there any guarantee that size <= 2048?
If not, need fix.

Thanks

>          memset(rxbuf + size, 0, sizeof(rxbuf) - size);
>          rxbuf_ptr = rxbuf;