[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_d
|
From: |
Joel Stanley |
|
Subject: |
Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx() |
|
Date: |
Thu, 6 Aug 2020 23:57:46 +0000 |
On Thu, 6 Aug 2020 at 13:21, Cédric Le Goater <clg@kaod.org> wrote:
>
> When inserting the VLAN tag in packets, memmove() can generate an
> integer overflow for packets whose length is less than 12 bytes.
>
> Check length against the size of the ethernet header (14 bytes) to
> avoid the crash and return FTGMAC100_INT_XPKT_LOST status. This seems
> like a good modeling choice even if Aspeed does not specify anything
> in that case.
>
> Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Reported-by: Ziming Zhang <ezrakiez@gmail.com>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
> ---
> hw/net/ftgmac100.c | 19 +++++++++++++++----
> 1 file changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
> index 280aa3d3a1e2..987b843fabc4 100644
> --- a/hw/net/ftgmac100.c
> +++ b/hw/net/ftgmac100.c
> @@ -540,10 +540,21 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t
> tx_ring,
> s->isr |= FTGMAC100_INT_XPKT_LOST;
> len = sizeof(s->frame) - frame_size - 4;
> }
> - memmove(ptr + 16, ptr + 12, len - 12);
> - stw_be_p(ptr + 12, ETH_P_VLAN);
> - stw_be_p(ptr + 14, bd.des1);
> - len += 4;
> +
> + if (len < sizeof(struct eth_header)) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: frame too small for VLAN insertion : %d
> bytes\n",
> + __func__, len);
> + s->isr |= FTGMAC100_INT_XPKT_LOST;
> + } else {
> + uint8_t *vlan_hdr = ptr + (ETH_ALEN * 2);
> + uint8_t *payload = vlan_hdr + sizeof(struct vlan_header);
> +
> + memmove(payload, vlan_hdr, len - (ETH_ALEN * 2));
> + stw_be_p(vlan_hdr, ETH_P_VLAN);
> + stw_be_p(vlan_hdr + 2, FTGMAC100_TXDES1_VLANTAG_CI(bd.des1));
> + len += sizeof(struct vlan_header);
> + }
> }
>
> ptr += len;
> --
> 2.25.4
>
- Re: [PATCH for-5.2 10/19] ftgmac100: Fix interrupt status "Packet transmitted on ethernet", (continued)
- [PATCH for-5.2 09/19] ftgmac100: Fix registers that can be read, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 19/19] aspeed/smc: Open AHB window of the second chip of the AST2600 FMC controller, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 17/19] aspeed/sdmc: Allow writes to unprotected registers, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 13/19] ftgmac100: Check for invalid len and address before doing a DMA transfer, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Cédric Le Goater, 2020/08/06
- Re: [PATCH for-5.2 14/19] ftgmac100: Fix integer overflow in ftgmac100_do_tx(), Peter Maydell, 2020/08/11
- [PATCH for-5.2 15/19] ftgmac100: Improve software reset, Cédric Le Goater, 2020/08/06
- [PATCH for-5.2 11/19] ftgmac100: Fix interrupt status "Packet moved to RX FIFO", Cédric Le Goater, 2020/08/06