Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160411' into staging

target-arm queue:
 * stellaris_enet: don't overrun buffer if fed oversize packet

# gpg: Signature made Mon 11 Apr 2016 14:36:27 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160411:
  net: stellaris_enet: check packet length against receive buffer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 11 insertions, 1 deletions

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 84cf60b303..6880894945 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
     n = s->next_packet + s->np;
     if (n >= 31)
         n -= 31;
-    s->np++;
 
+    if (size >= sizeof(s->rx[n].data) - 6) {
+        /* If the packet won't fit into the
+         * emulated 2K RAM, this is reported
+         * as a FIFO overrun error.
+         */
+        s->ris |= SE_INT_FOV;
+        stellaris_enet_update(s);
+        return -1;
+    }
+
+    s->np++;
     s->rx[n].len = size + 6;
     p = s->rx[n].data;
     *(p++) = (size + 6);