dfaggioli/qemu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pcnet: fix rx buffer overflow(CVE-2015-7512)

Browse Source 
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.

Cc: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
[BR: BSC#957162]
Signed-off-by: Bruce Rogers <brogers@suse.com>
This commit is contained in:
Jason Wang
2015-11-30 00:40:00 -07:00
committed by Bruce Rogers
parent 975f1b54a9
commit d92faac630
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hw/net/pcnet.c
View File

@@ -1086,6 +1086,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
int pktcount = 0; int pktcount = 0;
if (!s->looptest) { if (!s->looptest) {
if (size > 4092) {
#ifdef PCNET_DEBUG_RMD
fprintf(stderr, "pcnet: truncates rx packet.\n");
#endif
size = 4092;
}
memcpy(src, buf, size); memcpy(src, buf, size);
/* no need to compute the CRC */ /* no need to compute the CRC */
src[size] = 0; src[size] = 0;