From: Prasad J Pandit <p...@fedoraproject.org>
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.
Reported-by: Ling Liu <liuling...@360.cn>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
Signed-off-by: Jason Wang <jasow...@redhat.com>
---
hw/net/cadence_gem.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index f9e4091..e513d9d 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -678,6 +678,10 @@ static ssize_t gem_receive(NetClientState *nc, const
uint8_t *buf, size_t size)
} else {
unsigned crc_val;
+ if (size > sizeof(rxbuf) - sizeof(crc_val)) {
+ size = sizeof(rxbuf) - sizeof(crc_val);
+ }
+ bytes_to_copy = size;
/* The application wants the FCS field, which QEMU does not provide.
* We must try and calculate one.
*/
--
2.5.0
