Commit e015fe00 authored Jun 10, 2015 by Peter Maydell

Merge remote-tracking branch...


Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into staging

# gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request:
  pcnet: force the buffer access to be in bounds during tx

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

parents b0411142 9f7c594c

hw/net/pcnet.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
		}

		bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);

		/* if multi-tmd packet outsizes s->buffer then skip it silently.
		Note: this is not what real hw does */
		if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
		s->xmit_pos = -1;
		goto txdone;
		}

		s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
		s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
		s->xmit_pos += bcnt;