Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into staging

# gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 81AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" * remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request: pcnet: force the buffer access to be in bounds during tx Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
author: Peter Maydell <peter.maydell@linaro.org> 2015-06-10 15:10:14 +0100
committer: Peter Maydell <peter.maydell@linaro.org> 2015-06-10 15:10:14 +0100
commit: e015fe008a3a8901913248cdb50c62dba795c588 (patch)
tree: c0ec35dc415f0ae1f0306b1dbc21b0d8668ba849
parent: b0411142f482df92717f8b4a3b746081a62b724f (diff)
parent: 9f7c594c006289ad41169b854d70f5da6e400a2a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f4ca..68b9981983 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
         }
 
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
+           Note: this is not what real hw does */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+            s->xmit_pos = -1;
+            goto txdone;
+        }
+
         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
         s->xmit_pos += bcnt;
author	Peter Maydell <peter.maydell@linaro.org>	2015-06-10 15:10:14 +0100
committer	Peter Maydell <peter.maydell@linaro.org>	2015-06-10 15:10:14 +0100
commit	e015fe008a3a8901913248cdb50c62dba795c588 (patch)
tree	c0ec35dc415f0ae1f0306b1dbc21b0d8668ba849
parent	b0411142f482df92717f8b4a3b746081a62b724f (diff)
parent	9f7c594c006289ad41169b854d70f5da6e400a2a (diff)