Commit 9f7c594c authored by Petr Matousek's avatar Petr Matousek Committed by Stefan Hajnoczi
Browse files

pcnet: force the buffer access to be in bounds during tx 



4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]

Signed-off-by: default avatarPetr Matousek <pmatouse@redhat.com>
Reported-by: default avatarMatt Tait <matttait@google.com>
Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent b0411142

hw/net/pcnet.c

+8 −0
Original line number Diff line number Diff line
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) 
        }



        bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);



        /* if multi-tmd packet outsizes s->buffer then skip it silently.

           Note: this is not what real hw does */

        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {

            s->xmit_pos = -1;

            goto txdone;

        }



        s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),

                         s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));

        s->xmit_pos += bcnt;