mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

-----BEGIN PGP SIGNATURE-----

Browse Source 
Version: GnuPG v1
 
 iQEbBAABAgAGBQJVeEPbAAoJEJykq7OBq3PIroMH+IPgOCb4VL5TLqviUqfKVor+
 Z4QRqAgUurSjtYj5kqAmLkoelP4HBjPngvW2JVwbYICuOcq9Pd+koB309yKRHw+M
 rW4TDhshonM/PUrf82cOXdkJUT+d+3FRYidZn3KXRbm+CEkyVOdNOPPefGD1ohVf
 azeocOqkYVZlMcIvf+CMgZc8xN0+WIzDYPfDFUfzEWrdYHL02GqTbpy7KeD4mlEV
 AGLy2W6ndYnhlvQI3Eums4+DLKqcFiZMZUMi/t+S2viYCCY0MQ3OtDQlWkB2wiDw
 +y8VqV720nWeIuCvzXq/yb7UeLHaEUjPqkBGUOFcDg0EQXtUMv6WIRLALXSoCQ==
 =6r65
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into staging

# gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request:
  pcnet: force the buffer access to be in bounds during tx

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2015-06-10 15:10:14 +01:00
commit e015fe008a
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/net/pcnet.c
View File

@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/* if multi-tmd packet outsizes s->buffer then skip it silently.
Note: this is not what real hw does */
if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
s->xmit_pos = -1;
goto txdone;
}
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;