[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2
From: |
Jason Wang |
Subject: |
Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) |
Date: |
Tue, 1 Dec 2015 13:06:19 +0800 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote:
> On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote:
>> Backends could provide a packet whose length is greater than buffer
>> size. Check for this and truncate the packet to avoid rx buffer
>> overflow in this case.
>>
>> Cc: Prasad J Pandit <address@hidden>
>> Cc: address@hidden
>> Signed-off-by: Jason Wang <address@hidden>
> Reviewed-by: Michael S. Tsirkin <address@hidden>
Applied to my -net. Thanks.
>
>> ---
>> hw/net/pcnet.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
>> index 309c40b..1f4a3db 100644
>> --- a/hw/net/pcnet.c
>> +++ b/hw/net/pcnet.c
>> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const
>> uint8_t *buf, size_t size_)
>> int pktcount = 0;
>>
>> if (!s->looptest) {
>> + if (size > 4092) {
>> +#ifdef PCNET_DEBUG_RMD
>> + fprintf(stderr, "pcnet: truncates rx packet.\n");
>> +#endif
>> + size = 4092;
>> + }
>> memcpy(src, buf, size);
>> /* no need to compute the CRC */
>> src[size] = 0;
>> --
>> 2.5.0
>>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512),
Jason Wang <=