Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
qemu-testsuite.15027
0124-hw-net-Fix-a-heap-overflow-in-xlnx..patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0124-hw-net-Fix-a-heap-overflow-in-xlnx..patch of Package qemu-testsuite.15027
From 3dcf5c48303b46628b807181b3104a32ca6919a0 Mon Sep 17 00:00:00 2001 From: chaojianhu <chaojianhu@hotmail.com> Date: Tue, 9 Aug 2016 11:52:54 +0800 Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite will be affected. Reported-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: chaojianhu <chaojianhu@hotmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit a0d1cbdacff5df4ded16b753b38fdd9da6092968) [BR: CVE-2016-7161 BSC#1001151] Signed-off-by: Bruce Rogers <brogers@suse.com> --- hw/net/xilinx_ethlite.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c index ad6b55306d..9035f7102f 100644 --- a/hw/net/xilinx_ethlite.c +++ b/hw/net/xilinx_ethlite.c @@ -194,6 +194,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) } D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { + D(qemu_log("ethlite packet is too big, size=%x\n", size)); + return -1; + } memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor