[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] net: smc91c111: check packet number and data regist
|
From: |
P J P |
|
Subject: |
[Qemu-devel] [PATCH] net: smc91c111: check packet number and data register index |
|
Date: |
Tue, 25 Oct 2016 17:52:00 +0530 |
From: Prasad J Pandit <address@hidden>
SMSC91C111 Ethernet interface emulator has registers to store
'packet number' and a 'pointer' to Tx/Rx FIFO buffer area.
These two are used to derive an address to access into 'data'
registers. If they are not set correctly, they could lead to
OOB r/w access beyond packet 'data' area. Add check to avoid it.
Reported-by: Azure Yang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/smc91c111.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 3b16dcf..2425da1 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -418,7 +418,7 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
/* Ignore. */
return;
case 2: /* Packet Number Register */
- s->packet_num = value;
+ s->packet_num = value & (NUM_PACKETS - 1);
return;
case 3: case 4: case 5:
/* Should be readonly, but linux writes to them anyway. Ignore. */
@@ -444,7 +444,10 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
} else {
p += (offset & 3);
}
- s->data[n][p] = value;
+ if (n < NUM_PACKETS
+ && p < sizeof(s->data[n]) / sizeof(s->data[n][0])) {
+ s->data[n][p] = value;
+ }
}
return;
case 12: /* Interrupt ACK. */
@@ -590,7 +593,12 @@ static uint32_t smc91c111_readb(void *opaque, hwaddr
offset)
} else {
p += (offset & 3);
}
- return s->data[n][p];
+
+ if (n < NUM_PACKETS
+ && p < sizeof(s->data[n]) / sizeof(s->data[n][0])) {
+ return s->data[n][p];
+ }
+ return 0x80;
}
case 12: /* Interrupt status. */
return s->int_level;
--
2.7.4
- [Qemu-devel] [PATCH] net: smc91c111: check packet number and data register index,
P J P <=