diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2010-07-12 20:24:59 +0300 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2010-07-19 13:49:19 +0300 |
commit | b0b900070c7cb29bbefb732ec00397abe5de6d73 (patch) | |
tree | cdf5929f0575af0eb10a701564f79c12004bef58 | |
parent | d67eb20f6a387a10475b945c9e91fe2a00cffd93 (diff) |
e1000: fix access 4 bytes beyond buffer end
We do range check for size, and get size as buffer,
but copy size + 4 bytes (4 is for FCS).
Let's copy size bytes but put size + 4 in length.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-rw-r--r-- | hw/e1000.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/hw/e1000.c b/hw/e1000.c index 0da65f9a34..70aba11296 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -649,7 +649,6 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) } rdh_start = s->mac_reg[RDH]; - size += 4; // for the header do { if (s->mac_reg[RDH] == s->mac_reg[RDT] && s->check_rxov) { set_ics(s, 0, E1000_ICS_RXO); @@ -663,7 +662,7 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) if (desc.buffer_addr) { cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr), (void *)(buf + vlan_offset), size); - desc.length = cpu_to_le16(size); + desc.length = cpu_to_le16(size + 4 /* for FCS */); desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM; } else // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); |