[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_d
|
From: |
Cédric Le Goater |
|
Subject: |
Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx() |
|
Date: |
Mon, 10 Aug 2020 19:14:40 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
On 8/10/20 3:43 PM, Mauro Matteo Cascella wrote:
> On Thu, Aug 6, 2020 at 3:21 PM Cédric Le Goater <clg@kaod.org> wrote:
>>
>> When inserting the VLAN tag in packets, memmove() can generate an
>> integer overflow for packets whose length is less than 12 bytes.
>>
>> Check length against the size of the ethernet header (14 bytes) to
>> avoid the crash and return FTGMAC100_INT_XPKT_LOST status. This seems
>> like a good modeling choice even if Aspeed does not specify anything
>> in that case.
>>
>> Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
>> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>> Reported-by: Ziming Zhang <ezrakiez@gmail.com>
>> Signed-off-by: Cédric Le Goater <clg@kaod.org>
>> ---
>> hw/net/ftgmac100.c | 19 +++++++++++++++----
>> 1 file changed, 15 insertions(+), 4 deletions(-)
>>
>> diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
>> index 280aa3d3a1e2..987b843fabc4 100644
>> --- a/hw/net/ftgmac100.c
>> +++ b/hw/net/ftgmac100.c
>> @@ -540,10 +540,21 @@ static void ftgmac100_do_tx(FTGMAC100State *s,
>> uint32_t tx_ring,
>> s->isr |= FTGMAC100_INT_XPKT_LOST;
>> len = sizeof(s->frame) - frame_size - 4;
>> }
>> - memmove(ptr + 16, ptr + 12, len - 12);
>> - stw_be_p(ptr + 12, ETH_P_VLAN);
>> - stw_be_p(ptr + 14, bd.des1);
>> - len += 4;
>> +
>> + if (len < sizeof(struct eth_header)) {
>> + qemu_log_mask(LOG_GUEST_ERROR,
>> + "%s: frame too small for VLAN insertion : %d
>> bytes\n",
>> + __func__, len);
>> + s->isr |= FTGMAC100_INT_XPKT_LOST;
>> + } else {
>> + uint8_t *vlan_hdr = ptr + (ETH_ALEN * 2);
>> + uint8_t *payload = vlan_hdr + sizeof(struct vlan_header);
>> +
>> + memmove(payload, vlan_hdr, len - (ETH_ALEN * 2));
>> + stw_be_p(vlan_hdr, ETH_P_VLAN);
>> + stw_be_p(vlan_hdr + 2,
>> FTGMAC100_TXDES1_VLANTAG_CI(bd.des1));
>> + len += sizeof(struct vlan_header);
>> + }
>> }
>>
>> ptr += len;
>> --
>> 2.25.4
>>
>
> I can confirm that I can't reproduce the issue with the above patch. Thank
> you.
>
Can I count that as a Tested-by ?
Thanks,
C.
- [PATCH for-5.2 13/19] ftgmac100: Check for invalid len and address before doing a DMA transfer, (continued)
- [PATCH for-5.2 13/19] ftgmac100: Check for invalid len and address before doing a DMA transfer, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 19/19] aspeed/smc: Open AHB window of the second chip of the AST2600 FMC controller, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Cédric Le Goater, 2020/08/06
- Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Peter Maydell, 2020/08/11
- [PATCH for-5.2 11/19] ftgmac100: Fix interrupt status "Packet moved to RX FIFO", Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 18/19] aspeed/sdmc: Simplify calculation of RAM bits, Cédric Le Goater, 2020/08/06