File 0067-hw-net-Fix-a-heap-overflow-in-xlnx..patch of Package qemu.3829

Overview Repositories Revisions Requests Users Attributes Meta

File 0067-hw-net-Fix-a-heap-overflow-in-xlnx..patch of Package qemu.3829

From 9786797c49d2e2f5d64828442fea78ac88dde696 Mon Sep 17 00:00:00 2001
From: chaojianhu <chaojianhu@hotmail.com>
Date: Tue, 9 Aug 2016 11:52:54 +0800
Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit a0d1cbdacff5df4ded16b753b38fdd9da6092968)
[BR: CVE-2016-7161 BSC#1001151]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/net/xilinx_ethlite.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index bc846e7096..12b7419ba8 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
     }
 
     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
+        return -1;
+    }
     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
 
     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

Places

File 0067-hw-net-Fix-a-heap-overflow-in-xlnx..patch of Package qemu.3829

Places