rtl8139: fix possible out of bound access (1a326646) · Commits · SUMMER2020 / students / proj-2021291

hw/net/rtl8139.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
		RTL8139State *s = qemu_get_nic_opaque(nc);
		PCIDevice *d = PCI_DEVICE(s);
		/* size is the length of the buffer passed to the driver */
		int size = size_;
		size_t size = size_;
		const uint8_t *dot1q_buf = NULL;

		uint32_t packet_header = 0;
		@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
		static const uint8_t broadcast_macaddr[6] =
		{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };

		DPRINTF(">>> received len=%d\n", size);
		DPRINTF(">>> received len=%zu\n", size);

		/* test if board clock is stopped */
		if (!s->clock_enabled)
		@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t

		if (size+4 > rx_space)
		{
		DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
		DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n",
		descriptor, rx_space, size);

		s->IntrStatus \|= RxOverflow;
		@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState nc, const uint8_t buf, size_t
		if (avail != 0 && RX_ALIGN(size + 8) >= avail)
		{
		DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
		"read 0x%04x === available 0x%04x need 0x%04x\n",
		"read 0x%04x === available 0x%04x need 0x%04zx\n",
		s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);

		s->IntrStatus \|= RxOverflow;