[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx
|
From: |
Cédric Le Goater |
|
Subject: |
[PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx() |
|
Date: |
Thu, 6 Aug 2020 15:21:01 +0200 |
When inserting the VLAN tag in packets, memmove() can generate an
integer overflow for packets whose length is less than 12 bytes.
Check length against the size of the ethernet header (14 bytes) to
avoid the crash and return FTGMAC100_INT_XPKT_LOST status. This seems
like a good modeling choice even if Aspeed does not specify anything
in that case.
Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
hw/net/ftgmac100.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index 280aa3d3a1e2..987b843fabc4 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -540,10 +540,21 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t
tx_ring,
s->isr |= FTGMAC100_INT_XPKT_LOST;
len = sizeof(s->frame) - frame_size - 4;
}
- memmove(ptr + 16, ptr + 12, len - 12);
- stw_be_p(ptr + 12, ETH_P_VLAN);
- stw_be_p(ptr + 14, bd.des1);
- len += 4;
+
+ if (len < sizeof(struct eth_header)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: frame too small for VLAN insertion : %d bytes\n",
+ __func__, len);
+ s->isr |= FTGMAC100_INT_XPKT_LOST;
+ } else {
+ uint8_t *vlan_hdr = ptr + (ETH_ALEN * 2);
+ uint8_t *payload = vlan_hdr + sizeof(struct vlan_header);
+
+ memmove(payload, vlan_hdr, len - (ETH_ALEN * 2));
+ stw_be_p(vlan_hdr, ETH_P_VLAN);
+ stw_be_p(vlan_hdr + 2, FTGMAC100_TXDES1_VLANTAG_CI(bd.des1));
+ len += sizeof(struct vlan_header);
+ }
}
ptr += len;
--
2.25.4
- Re: [PATCH for-5.2 10/19] ftgmac100: Fix interrupt status "Packet transmitted on ethernet", (continued)
- [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 19/19] aspeed/smc: Open AHB window of the second chip of the AST2600 FMC controller, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 17/19] aspeed/sdmc: Allow writes to unprotected registers, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 13/19] ftgmac100: Check for invalid len and address before doing a DMA transfer, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(),
Cédric Le Goater <=
- Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Peter Maydell, 2020/08/11
- [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Cédric Le Goater, 2020/08/06