From 0ae045ae439ad83692ad039a554f7d62acf9de5c Mon Sep 17 00:00:00 2001 From: ths Date: Mon, 25 Jun 2007 13:47:44 +0000 Subject: Insufficient input validation in NE2000 card, written by Tavis Ormandy, contributed by Aurelien Jarno. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3019 c046a42c-6fe2-441c-8c8c-71466251a162 --- hw/ne2000.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'hw/ne2000.c') diff --git a/hw/ne2000.c b/hw/ne2000.c index 1625c55388..6d5aa56e17 100644 --- a/hw/ne2000.c +++ b/hw/ne2000.c @@ -224,7 +224,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -293,7 +293,10 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) /* write packet data */ while (size > 0) { - avail = s->stop - index; + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; -- cgit v1.2.3