[PULL 2/2] hw/net/xgmac: Fix buffer overflow in xgmac_enet

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 2/2] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()

From:	Jason Wang
Subject:	[PULL 2/2] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
Date:	Tue, 21 Jul 2020 21:34:27 +0800

From: Mauro Matteo Cascella <mcascell@redhat.com>

A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
occurs while sending an Ethernet frame due to missing break statements
and improper checking of the buffer size.

Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/xgmac.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
index 574dd47..5bf1b61 100644
--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
         }
         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
         if ((bd.buffer1_size & 0xfff) > 2048) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
                          __func__, bd.buffer1_size & 0xfff);
+            break;
         }
         if ((bd.buffer2_size & 0xfff) != 0) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
                         __func__, bd.buffer2_size & 0xfff);
+            break;
         }
-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, 
sizeof(frame));
             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
         }
 
         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
-- 
2.5.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 0/2] Net patches, Jason Wang, 2020/07/21
- [PULL 2/2] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send(), Jason Wang <=
- [PULL 1/2] hw/net: Added plen fix for IPv6, Jason Wang, 2020/07/21
- Re: [PULL 0/2] Net patches, Peter Maydell, 2020/07/21

Prev by Date: [PULL 0/2] Net patches
Next by Date: [PULL 1/2] hw/net: Added plen fix for IPv6
Previous by thread: [PULL 0/2] Net patches
Next by thread: [PULL 1/2] hw/net: Added plen fix for IPv6
Index(es):
- Date
- Thread