diff mbox series

[47/97] pcnet: fix possible buffer overflow

Message ID	20190401210011.16009-48-mdroth@linux.vnet.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> Gateway: Authorized Use Only! Violators will be prosecuted for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>; Mon, 1 Apr 2019 22:02:25 +0100 Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 1 Apr 2019 22:02:23 +0100 From: Michael Roth <mdroth@linux.vnet.ibm.com> To: qemu-devel@nongnu.org Date: Mon, 1 Apr 2019 15:59:21 -0500 In-Reply-To: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com> References: <20190401210011.16009-1-mdroth@linux.vnet.ibm.com> Message-Id: <20190401210011.16009-48-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 47/97] pcnet: fix possible buffer overflow Precedence: list Cc: Jason Wang <jasowang@redhat.com>, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	Patch Round-up for stable 3.0.1, freeze on 2019-04-08 \| expand [00/97] Patch Round-up for stable 3.0.1, freeze on 2019-04-08 [01/97] target/arm: Fix sign of sve_cmpeq_ppzw/sve_cmpne_ppzw [02/97] target/arm: Fix typo in do_sat_addsub_64 [03/97] target/arm: Reorganize SVE WHILE [04/97] target/arm: Fix typo in helper_sve_movz_d [05/97] target/arm: Fix typo in helper_sve_ld1hss_r [06/97] target/arm: Fix sign-extension in sve do_ldr/do_str [07/97] target/arm: Fix offset for LD1R instructions [08/97] target/arm: Fix offset scaling for LD_zprr and ST_zprr [09/97] target/arm: Reformat integer register dump [10/97] target/arm: Dump SVE state if enabled [11/97] target/arm: Add sve-max-vq cpu property to -cpu max [12/97] spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn [13/97] target/arm: Adjust FPCR_MASK for FZ16 [14/97] target/arm: Ignore float_flag_input_denormal from fp_status_f16 [15/97] target/arm: Use fp_status_fp16 for do_fmpa_zpzzz_h [16/97] target/arm: Use FZ not FZ16 for SVE FCVT single-half and double-half [17/97] block/qapi: Fix memory leak in qmp_query_blockstats() [18/97] mirror: Fail gracefully for source == target [19/97] qemu-img: fix regression copying secrets during convert [20/97] nvme: Fix nvme_init error handling [21/97] aio-posix: Don't count ctx->notifier as progress when polling [22/97] aio: Do aio_notify_accept only during blocking aio_poll [23/97] monitor: fix oob command leak [24/97] vnc: fix memleak of the "vnc-worker-output" name [25/97] i386: Disable TOPOEXT by default on "-cpu host" [26/97] block: for jobs, do not clear user_paused until after the resume [27/97] block: iotest to catch abort on forced blockjob cancel [28/97] virtio: update MemoryRegionCaches when guest negotiates features [29/97] target/xtensa: fix FPU2000 bugs [30/97] kvm: add call to qemu_add_opts() for -overcommit option [31/97] slirp: Add sanity check for str option length [32/97] vhost: fix invalid downcast [33/97] pc: acpi: revert back to 1 SRAT entry for hotpluggable area [35/97] block: Fix use after free error in bdrv_open_inherit() [36/97] job: Fix nested aio_poll() hanging in job_txn_apply [37/97] target/xtensa: fix s32c1i TCGMemOp flags [38/97] nbd/server: fix bitmap export [39/97] clean up callback when del virtqueue [40/97] block/rbd: pull out qemu_rbd_convert_options [41/97] block/rbd: Attempt to parse legacy filenames [42/97] block/rbd: add iotest for rbd legacy keyvalue filename parsing [43/97] block/rbd: add deprecation documentation for filename keyvalue pairs [44/97] target/arm: Fix cpu_get_tb_cpu_state() for non-SVE CPUs [45/97] ne2000: fix possible out of bound access in ne2000_receive [46/97] rtl8139: fix possible out of bound access [47/97] pcnet: fix possible buffer overflow [48/97] net: ignore packet size greater than INT_MAX [49/97] virt: Suppress external aborts on virt-2.10 and earlier [50/97] virtio: do not take address of packed members [51/97] block-backend: Set werror/rerror defaults in blk_new() [52/97] target/arm: Correct condition for v8M callee stack push [53/97] nbd/server: fix NBD_CMD_CACHE [54/97] intel_iommu: introduce vtd_reset_caches() [55/97] intel_iommu: better handling of dmar state switch [56/97] nbd: fix NBD_FLAG_SEND_CACHE value [57/97] migration: Stop postcopy fault thread before notifying [58/97] vhost-scsi: prevent using uninitialized vqs [59/97] target/xtensa: drop num_[core_]regs from dc232b/dc233c configs [60/97] make-release: add skiboot .version file [61/97] net: drop too large packet early [62/97] fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled [63/97] qemu-img: Fix typo [64/97] qemu-img: Fix leak [65/97] fmops: fix off-by-one in AR_TABLE and DR_TABLE array size [66/97] vfio-helpers: Fix qemu_vfio_open_pci() crash [67/97] i2c: Move typedef of bitbang_i2c_interface to i2c.h [68/97] i2c: Add a length check to the SMBus write handling [69/97] nbd/server: Advertise all contexts in response to bare LIST [70/97] nbd/client: Make x-dirty-bitmap more reliable [71/97] nbd/client: Send NBD_CMD_DISC if open fails after connect [72/97] mirror: fix dead-lock [73/97] iotests: simple mirror test with kvm on 1G image [74/97] iotests: make 235 work on s390 (and others) [75/97] Changes requirement for "vsubsbs" instruction [76/97] pcie: set link state inactive/active after hot unplug/plug [77/97] pc:piix4: Update smbus I/O space after a migration [78/97] hw/s390x: Fix bad mask in time2tod() [79/97] linux-user: write(fd, NULL, 0) parity with linux's treatment of same [80/97] linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 [81/97] s390x: Return specification exception for unimplemented diag 308 subcodes [82/97] exec.c: Don't reallocate IOMMUNotifiers that are in use [83/97] tpm: Zero-init structure to avoid uninitialized variables in valgrind log [84/97] tpm: use loop iterator to set sts data field [85/97] tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid [86/97] tpm: Make sure the locality received from backend is valid [87/97] block: Fix invalidate_cache error path for parent activation [88/97] acpi: Make TPM 2.0 with TIS available as MSFT0101 [89/97] hw/rdma: another clang compilation fix [90/97] slirp: check sscanf result when emulating ident [91/97] tpm_tis: fix loop that cancels any seizure by a lower locality [92/97] bitmap: Update count after a merge [93/97] qga: update docs with systemd suspend support info [94/97] nvme: fix out-of-bounds access to the CMB [95/97] 9p: fix QEMU crash when renaming files [96/97] usb-mtp: outlaw slashes in filenames [97/97] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

Commit Message

Michael Roth April 1, 2019, 8:59 p.m. UTC

From: Jason Wang <jasowang@redhat.com>

In pcnet_receive(), we try to assign size_ to size which converts from
size_t to integer. This will cause troubles when size_ is greater
INT_MAX, this will lead a negative value in size and it can then pass
the check of size < MIN_BUF_SIZE which may lead out of bound access
for both buf and buf1.

Fixing by converting the type of size to size_t.

CC: qemu-stable@nongnu.org
Reported-by: Daniel Shapira <daniel@twistlock.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit b1d80d12c5f7ff081bb80ab4f4241d4248691192)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/pcnet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff mbox series

Patch

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 0c44554168..d9ba04bdfc 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -988,14 +988,14 @@  ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
     uint8_t buf1[60];
     int remaining;
     int crc_err = 0;
-    int size = size_;
+    size_t size = size_;
 
     if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size ||
         (CSR_LOOP(s) && !s->looptest)) {
         return -1;
     }
 #ifdef PCNET_DEBUG
-    printf("pcnet_receive size=%d\n", size);
+    printf("pcnet_receive size=%zu\n", size);
 #endif
 
     /* if too small buffer, then expand it */