From: Prasad J Pandit <address@hidden>
When processing MIPSnet I/O port write operation, it uses a
transmit buffer tx_buffer[MAX_ETH_FRAME_SIZE=1514]. Two indices
's->tx_written' and 's->tx_count' are used to control data written
to this buffer. If the two were to be equal before writing, it'd
lead to an OOB write access beyond tx_buffer. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/mipsnet.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Update as per:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg02089.html
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
index 740cd98..450e42d 100644
--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
@@ -180,10 +180,12 @@ static void mipsnet_ioport_write(void *opaque, hwaddr
addr,
break;
case MIPSNET_TX_DATA_BUFFER:
s->tx_buffer[s->tx_written++] = val;
- if (s->tx_written == s->tx_count) {
+ if ((s->tx_written >= MAX_ETH_FRAME_SIZE)
+ || (s->tx_written == s->tx_count)) {
/* Send buffer. */
- trace_mipsnet_send(s->tx_count);
- qemu_send_packet(qemu_get_queue(s->nic), s->tx_buffer,
s->tx_count);
+ trace_mipsnet_send(s->tx_written);
+ qemu_send_packet(qemu_get_queue(s->nic),
+ s->tx_buffer, s->tx_written);
s->tx_count = s->tx_written = 0;
s->intctl |= MIPSNET_INTCTL_TXDONE;
s->busy = 1;