Commit a0d1cbda authored by chaojianhu's avatar chaojianhu Committed by Jason Wang
Browse files

hw/net: Fix a heap overflow in xlnx.xps-ethernetlite 



The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: default avatarchaojianhu <chaojianhu@hotmail.com>
Signed-off-by: default avatarchaojianhu <chaojianhu@hotmail.com>
Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
parent 6c352ca9

hw/net/xilinx_ethlite.c

+4 −0
Original line number Diff line number Diff line
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) 
    }



    D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));

    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {

        D(qemu_log("ethlite packet is too big, size=%x\n", size));

        return -1;

    }

    memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);



    s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;