From: Michael Roth <mdr...@linux.vnet.ibm.com>
CVE-2013-4532
s->tx_frame_len is read from the wire and can later used as an index
into s->tx_fifo[] for memset() when a DATA command is issued by the guest.
In this case s->tx_frame_len is checked to avoid an overrun, but if the
value is negative a subsequently executed guest can underrun the buffer
with zeros via the memset() call.
Fix this by failing migration if the incoming value is of s->tx_frame_len
is less than -1 (the emulation code allows from -1 as a special case)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
---
hw/net/stellaris_enet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 65f0ba8..6eca31e 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -375,6 +375,9 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque,
int version_id)
s->mrxd = qemu_get_be32(f);
s->np = qemu_get_be32(f);
s->tx_frame_len = qemu_get_be32(f);
+ if (s->tx_frame_len < -1) {
+ return -EINVAL;
+ }
s->tx_fifo_len = qemu_get_be32(f);
if (s->tx_fifo_len < 0 || s->tx_fifo_len > SE_FIFO_LEN) {
return -EINVAL;
--
MST
