net: cadence_gem: check packet size in gem_recieve

While receiving packets in 'gem_receive' routine, if Frame Check Sequence(FCS) is enabled, it copies the packet into a local buffer without checking its size. Add check to validate packet length against the buffer size to avoid buffer overflow. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
author: Prasad J Pandit <pjp@fedoraproject.org> 2016-01-15 12:30:40 +0530
committer: Timothy Pearson <tpearson@raptorengineering.com> 2019-11-29 19:31:26 -0600
commit: dce4414695d23709fb57c513de4ee05c17983e91 (patch)
tree: f2ed0effaec82b8a05524acd18b05d7a499eae56 /hw
parent: e6abbc67eaac3defbd955d6f8db23a05c6a63985 (diff)
download: hqemu-dce4414695d23709fb57c513de4ee05c17983e91.zip
hqemu-dce4414695d23709fb57c513de4ee05c17983e91.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index f9e4091..e513d9d 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -678,6 +678,10 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size)
     } else {
         unsigned crc_val;
 
+        if (size > sizeof(rxbuf) - sizeof(crc_val)) {
+            size = sizeof(rxbuf) - sizeof(crc_val);
+        }
+        bytes_to_copy = size;
         /* The application wants the FCS field, which QEMU does not provide.
          * We must try and calculate one.
          */
author	Prasad J Pandit <pjp@fedoraproject.org>	2016-01-15 12:30:40 +0530
committer	Timothy Pearson <tpearson@raptorengineering.com>	2019-11-29 19:31:26 -0600
commit	dce4414695d23709fb57c513de4ee05c17983e91 (patch)
tree	f2ed0effaec82b8a05524acd18b05d7a499eae56 /hw
parent	e6abbc67eaac3defbd955d6f8db23a05c6a63985 (diff)
download	hqemu-dce4414695d23709fb57c513de4ee05c17983e91.zip hqemu-dce4414695d23709fb57c513de4ee05c17983e91.tar.gz