From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001

From: Prasad J Pandit <pjp@fedoraproject.org>

Date: Fri, 8 Apr 2016 11:33:48 +0530

Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer

When receiving packets over Stellaris ethernet controller, it

uses receive buffer of size 2048 bytes. In case the controller

accepts large(MTU) packets, it could lead to memory corruption.

Add check to avoid it.

Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

 tools/qemu-xen-traditional/hw/stellaris_enet.c |   12 +++++++++++-

 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/tools/qemu-xen-traditional/hw/stellaris_enet.c b/tools/qemu-xen-traditional/hw/stellaris_enet.c

index 84cf60b..6880894 100644

--- a/tools/qemu-xen-traditional/hw/stellaris_enet.c

+++ b/tools/qemu-xen-traditional/hw/stellaris_enet.c

@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si

     n = s->next_packet + s->np;

     if (n >= 31)

         n -= 31;

-    s->np++;

+    if (size >= sizeof(s->rx[n].data) - 6) {

+        /* If the packet won't fit into the

+         * emulated 2K RAM, this is reported

+         * as a FIFO overrun error.

+         */

+        s->ris |= SE_INT_FOV;

+        stellaris_enet_update(s);

+        return -1;

+    }

+

+    s->np++;

     s->rx[n].len = size + 6;

     p = s->rx[n].data;

     *(p++) = (size + 6);

-- 

1.7.0.4