Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

[Jason Wang]

On 01/18/2016 05:08 PM, Peter Crosthwaite wrote:
> On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang <address@hidden> wrote:
>>
>> On 01/18/2016 03:04 PM, Peter Crosthwaite wrote:
>>> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang <address@hidden> wrote:
>>>> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
>>>>> gem_receive copies a packet received from network into an rxbuf[2048]
>>>>> array on stack, with size limited by descriptor length set by guest.  If
>>>>> guest is malicious and specifies a descriptor length that is too large,
>>>>> and should packet size exceed array size, this results in a buffer
>>>>> overflow.
>>>>>
>>>>> Reported-by: 刘令 <address@hidden>
>>>>> Signed-off-by: Michael S. Tsirkin <address@hidden>
>>>>> ---
>>>>>  hw/net/cadence_gem.c | 8 ++++++++
>>>>>  1 file changed, 8 insertions(+)
>>>> Apply to my -net with tweak on commit log (changing receive to transmit
>>>> as noticed).
>>>>
>>> As this is actually an unimplemented feature you should change the
>>> message to a LOG_UNIMP rather than a debug printf.
>>>
>>> Regards,
>>> Peter
>> Thanks for the reminding. But we need know the whether real device could
>> send packet whose length is greater than 2048. Do you know the link to
>> the manual? (Haven't fond it in cadence page.) A hint is the linux
> Xilinx UG585 has details:
>
> http://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf
>
> Regards,
> Peter
>
>

Thanks for the pointer.

In section 16.1.5, it said

"Jumbo frames are not supported."

So it was in fact not an unimplemented feature?