diff options
author | Pavel Pisa <pisa@cmp.felk.cvut.cz> | 2021-07-29 14:33:27 +0200 |
---|---|---|
committer | Jason Wang <jasowang@redhat.com> | 2021-08-02 12:19:18 +0800 |
commit | 11744862f27b9ba6488a247d2fd6bb83d9bc3c8d (patch) | |
tree | c98f7607ae8e62bfc867dbcac9d1b40f13d98b6c /hw/net | |
parent | 9010b0c7a9a097590e183f63716091f6c42a223f (diff) |
hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes
Problem reported by openEuler fuzz-sig group.
The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).
Reported-by: Qiang Ning <ningqiang1@huawei.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'hw/net')
-rw-r--r-- | hw/net/can/can_sja1000.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c index 42d2f99dfb..34eea684ce 100644 --- a/hw/net/can/can_sja1000.c +++ b/hw/net/can/can_sja1000.c @@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, qemu_can_frame *frame) } frame->can_dlc = buff[0] & 0x0f; + if (frame->can_dlc > 8) { + frame->can_dlc = 8; + } + if (buff[0] & 0x80) { /* Extended */ frame->can_id |= QEMU_CAN_EFF_FLAG; frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */ @@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, qemu_can_frame *frame) } frame->can_dlc = buff[1] & 0x0f; + if (frame->can_dlc > 8) { + frame->can_dlc = 8; + } + for (i = 0; i < frame->can_dlc; i++) { frame->data[i] = buff[2 + i]; } |