aboutsummaryrefslogtreecommitdiff
path: root/hw/net
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2016-01-14 11:43:30 +0200
committerJason Wang <jasowang@redhat.com>2016-02-04 13:22:06 +0800
commitd7f053652fef48bee7c461c162c8d4d2c96ab157 (patch)
tree3f330b046e6102caf7fabb18ede347802630419e /hw/net
parent244381ec19ce1412b474f41b5f30fe1da846451b (diff)
cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'hw/net')
-rw-r--r--hw/net/cadence_gem.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index e513d9d5ba..0346f3e335 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
break;
}
+ if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
+ DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
+ (unsigned)packet_desc_addr,
+ (unsigned)tx_desc_get_length(desc),
+ sizeof(tx_packet) - (p - tx_packet));
+ break;
+ }
+
/* Gather this fragment of the packet from "dma memory" to our contig.
* buffer.
*/