diff options
author | ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162> | 2007-06-25 13:47:44 +0000 |
---|---|---|
committer | ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162> | 2007-06-25 13:47:44 +0000 |
commit | 0ae045ae439ad83692ad039a554f7d62acf9de5c (patch) | |
tree | 79a7aab2d9eec4e60c7ad8665e7e4515500af7e9 /hw | |
parent | aec62507bb6a14b02575f40ec84f617b935043d3 (diff) |
Insufficient input validation in NE2000 card, written by Tavis Ormandy,
contributed by Aurelien Jarno.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3019 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'hw')
-rw-r--r-- | hw/ne2000.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/hw/ne2000.c b/hw/ne2000.c index 1625c55388..6d5aa56e17 100644 --- a/hw/ne2000.c +++ b/hw/ne2000.c @@ -224,7 +224,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -293,7 +293,10 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) /* write packet data */ while (size > 0) { - avail = s->stop - index; + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; |