net: add checks to validate ring buffer pointers(CVE-2015-5279) (9bbdbc66) · Commits · SUMMER2020 / students / proj-2021291

hw/net/ne2000.c

+15 −4

Original line number	Diff line number	Diff line
		@@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
		}

		index = s->curpag << 8;
		if (index >= NE2000_PMEM_END) {
		index = s->start;
		}
		/* 4 bytes for header */
		total_len = size + 4;
		/* address for next packet (4 bytes for CRC) */
		@@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
		offset = addr \| (page << 4);
		switch(offset) {
		case EN0_STARTPG:
		if (val << 8 <= NE2000_PMEM_END) {
		s->start = val << 8;
		}
		break;
		case EN0_STOPPG:
		if (val << 8 <= NE2000_PMEM_END) {
		s->stop = val << 8;
		}
		break;
		case EN0_BOUNDARY:
		if (val << 8 < NE2000_PMEM_END) {
		s->boundary = val;
		}
		break;
		case EN0_IMR:
		s->imr = val;
		@@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
		s->phys[offset - EN1_PHYS] = val;
		break;
		case EN1_CURPAG:
		if (val << 8 < NE2000_PMEM_END) {
		s->curpag = val;
		}
		break;
		case EN1_MULT ... EN1_MULT + 7:
		s->mult[offset - EN1_MULT] = val;