Commit dc1ffa66 authored Apr 11, 2016 by Peter Maydell

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160411' into staging



target-arm queue:
 * stellaris_enet: don't overrun buffer if fed oversize packet

# gpg: Signature made Mon 11 Apr 2016 14:36:27 BST using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>"
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"

* remotes/pmaydell/tags/pull-target-arm-20160411:
  net: stellaris_enet: check packet length against receive buffer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

parents 5144fe36 3a15cc0e

hw/net/stellaris_enet.c

+11 −1

Original line number	Diff line number	Diff line
		@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState nc, const uint8_t buf, si
		n = s->next_packet + s->np;
		if (n >= 31)
		n -= 31;
		s->np++;

		if (size >= sizeof(s->rx[n].data) - 6) {
		/* If the packet won't fit into the
		* emulated 2K RAM, this is reported
		* as a FIFO overrun error.
		*/
		s->ris \|= SE_INT_FOV;
		stellaris_enet_update(s);
		return -1;
		}

		s->np++;
		s->rx[n].len = size + 6;
		p = s->rx[n].data;
		*(p++) = (size + 6);