Commit fdc89e90 authored by Jason Wang's avatar Jason Wang
Browse files

ne2000: fix possible out of bound access in ne2000_receive 



In ne2000_receive(), we try to assign size_ to size which converts
from size_t to integer. This will cause troubles when size_ is greater
INT_MAX, this will lead a negative value in size and it can then pass
the check of size < MIN_BUF_SIZE which may lead out of bound access of
for both buf and buf1.

Fixing by converting the type of size to size_t.

CC: qemu-stable@nongnu.org
Reported-by: default avatarDaniel Shapira <daniel@twistlock.com>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
parent 7da2d99f

hw/net/ne2000.c

+2 −2
Original line number Diff line number Diff line
@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s) 
ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)

{

    NE2000State *s = qemu_get_nic_opaque(nc);

    int size = size_;

    size_t size = size_;

    uint8_t *p;

    unsigned int total_len, next, avail, len, index, mcast_idx;

    uint8_t buf1[60];
@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) 
        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };



#if defined(DEBUG_NE2000)

    printf("NE2000: received len=%d\n", size);

    printf("NE2000: received len=%zu\n", size);

#endif



    if (s->cmd & E8390_STOP || ne2000_buffer_full(s))