Message ID | 1460095428-22698-1-git-send-email-ppandit@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 8 April 2016 at 07:03, P J P <ppandit@redhat.com> wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > When receiving packets over Stellaris ethernet controller, it > uses receive buffer of size 2048 bytes. In case the controller > accepts large(MTU) packets, it could lead to memory corruption. > Add check to avoid it. > > Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/stellaris_enet.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) Applied to target-arm.next, thanks. -- PMM
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index 21a4773..fc48ba8 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -235,8 +235,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si n = s->next_packet + s->np; if (n >= 31) n -= 31; + + if (size >= sizeof(s->rx[n].data) - 6) { + /* If the packet won't fit into the + * emulated 2K RAM, this is reported + * as a FIFO overrun error. + */ + s->ris |= SE_INT_FOV; + stellaris_enet_update(s); + return -1; + } + s->np++; - s->rx[n].len = size + 6; p = s->rx[n].data; *(p++) = (size + 6);