From 53260b0f3e1426185786f5fe45f99ca1ded84062 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 7 Apr 2016 04:27:00 -0600 Subject: [PATCH] net: mipsnet: check packet length against buffer When receiving packets over MIPSnet network device, it uses receive buffer of size 1514 bytes. In case the controller accepts large(MTU) packets, it could lead to memory corruption. Add check to avoid it. Reported by: Oleksandr Bazhaniuk Signed-off-by: Prasad J Pandit [BR: BSC#975136 CVE-2016-4002] Signed-off-by: Bruce Rogers --- hw/net/mipsnet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c index 740cd98..cf8b823 100644 --- a/hw/net/mipsnet.c +++ b/hw/net/mipsnet.c @@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si if (!mipsnet_can_receive(nc)) return 0; + if (size >= sizeof(s->rx_buffer)) { + return 0; + } s->busy = 1; /* Just accept everything. */