From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50865) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auxF2-0004Qf-Ft for qemu-devel@nongnu.org; Tue, 26 Apr 2016 03:17:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1auxEy-0004bN-04 for qemu-devel@nongnu.org; Tue, 26 Apr 2016 03:17:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60285) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auxEx-0004bI-Q6 for qemu-devel@nongnu.org; Tue, 26 Apr 2016 03:16:59 -0400 References: <1460024762-14592-1-git-send-email-ppandit@redhat.com> From: Jason Wang Message-ID: <571F15E7.2080808@redhat.com> Date: Tue, 26 Apr 2016 15:16:55 +0800 MIME-Version: 1.0 In-Reply-To: <1460024762-14592-1-git-send-email-ppandit@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P , Qemu Developers Cc: Oleksandr Bazhaniuk , Prasad J Pandit On 04/07/2016 06:26 PM, P J P wrote: > From: Prasad J Pandit > > When receiving packets over MIPSnet network device, it uses > receive buffer of size 1514 bytes. In case the controller > accepts large(MTU) packets, it could lead to memory corruption. > Add check to avoid it. > > Reported by: Oleksandr Bazhaniuk > > Signed-off-by: Prasad J Pandit > --- > hw/net/mipsnet.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c > index f261011..e134b31 100644 > --- a/hw/net/mipsnet.c > +++ b/hw/net/mipsnet.c > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si > if (!mipsnet_can_receive(nc)) > return 0; > > + if (size >= sizeof(s->rx_buffer)) { > + return 0; > + } > s->busy = 1; > > /* Just accept everything. */ Apply to net-next. Thanks