From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47021) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bX1RI-0004cI-LD for qemu-devel@nongnu.org; Tue, 09 Aug 2016 03:27:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bX1RH-0002IO-Ro for qemu-devel@nongnu.org; Tue, 09 Aug 2016 03:27:04 -0400 References: From: Jason Wang Message-ID: Date: Tue, 9 Aug 2016 15:26:52 +0800 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: chaojianhu , qemu-devel@nongnu.org Cc: qemu-trivial@nongnu.org, edgar.iglesias@gmail.com, alistair.francis@xilinx.com, qemu-arm@nongnu.org On 2016=E5=B9=B408=E6=9C=8809=E6=97=A5 11:52, chaojianhu wrote: > The .receive callback of xlnx.xps-ethernetlite doesn't check the length > of data before calling memcpy. As a result, the NetClientState object i= n > heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlit= e > will be affected. > > Reported-by: chaojianhu > Signed-off-by: chaojianhu > > --- > hw/net/xilinx_ethlite.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c > index 54db2b8..35de353 100644 > --- a/hw/net/xilinx_ethlite.c > +++ b/hw/net/xilinx_ethlite.c > @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const ui= nt8_t *buf, size_t size) > } > =20 > D(qemu_log("%s %zd rxbase=3D%x\n", __func__, size, rxbase)); > + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { > + D(qemu_log("ethlite packet is too big, size=3D%x\n", size)); > + return -1; > + } > memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); > =20 > s->regs[rxbase + R_RX_CTRL0] |=3D CTRL_S; Applied, thanks.