+-- On Sat, 15 Feb 2020, Sven Schnelle wrote --+
| > +if (!len1 || !len2 || !s->rx_frame_len) {
| > +return;
|
| I haven't tested the patch yet, but would that work if the guest OS passes
| only one buffer to the card? I.e. len1 = x, and len2 = 0 because only
| buffer 1 is available?
Hi,
thanks for your patch.
On Tue, Feb 11, 2020 at 01:09:30PM +0530, P J P wrote:
> From: Prasad J Pandit
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index cfac2719d3..aca2a3f17f 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -164,27 +164,35 @@ static void tulip_copy_rx_bytes(TUL
From: Prasad J Pandit
Tulip network driver while copying tx/rx buffers does not check
frame size against r/w data length. This may lead to OOB buffer
access. Add check to avoid it.
Reported-by: Li Qiang
Reported-by: Ziming Zhang
Signed-off-by: Prasad J Pandit
---
hw/net/tulip.c | 55
