48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Fri, 8 Apr 2016 11:33:48 +0530
|
|
Subject: [PATCH] net: stellaris_enet: check packet length against receive
|
|
buffer
|
|
|
|
When receiving packets over Stellaris ethernet controller, it
|
|
uses receive buffer of size 2048 bytes. In case the controller
|
|
accepts large(MTU) packets, it could lead to memory corruption.
|
|
Add check to avoid it.
|
|
|
|
Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
---
|
|
hw/net/stellaris_enet.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
|
|
index 84cf60b..6880894 100644
|
|
--- a/hw/net/stellaris_enet.c
|
|
+++ b/hw/net/stellaris_enet.c
|
|
@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
|
|
n = s->next_packet + s->np;
|
|
if (n >= 31)
|
|
n -= 31;
|
|
- s->np++;
|
|
|
|
+ if (size >= sizeof(s->rx[n].data) - 6) {
|
|
+ /* If the packet won't fit into the
|
|
+ * emulated 2K RAM, this is reported
|
|
+ * as a FIFO overrun error.
|
|
+ */
|
|
+ s->ris |= SE_INT_FOV;
|
|
+ stellaris_enet_update(s);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ s->np++;
|
|
s->rx[n].len = size + 6;
|
|
p = s->rx[n].data;
|
|
*(p++) = (size + 6);
|
|
--
|
|
2.7.4
|
|
|