Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
  • Loading branch information
P J P authored and stefanhaRH committed Sep 15, 2015
1 parent b947ac2 commit 9bbdbc6
Showing 1 changed file with 15 additions and 4 deletions.
19 changes: 15 additions & 4 deletions hw/net/ne2000.c
Expand Up @@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
}

index = s->curpag << 8;
if (index >= NE2000_PMEM_END) {
index = s->start;
}
/* 4 bytes for header */
total_len = size + 4;
/* address for next packet (4 bytes for CRC) */
Expand Down Expand Up @@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
offset = addr | (page << 4);
switch(offset) {
case EN0_STARTPG:
s->start = val << 8;
if (val << 8 <= NE2000_PMEM_END) {
s->start = val << 8;
}
break;
case EN0_STOPPG:
s->stop = val << 8;
if (val << 8 <= NE2000_PMEM_END) {
s->stop = val << 8;
}
break;
case EN0_BOUNDARY:
s->boundary = val;
if (val << 8 < NE2000_PMEM_END) {
s->boundary = val;
}
break;
case EN0_IMR:
s->imr = val;
Expand Down Expand Up @@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
s->phys[offset - EN1_PHYS] = val;
break;
case EN1_CURPAG:
s->curpag = val;
if (val << 8 < NE2000_PMEM_END) {
s->curpag = val;
}
break;
case EN1_MULT ... EN1_MULT + 7:
s->mult[offset - EN1_MULT] = val;
Expand Down

0 comments on commit 9bbdbc6

Please sign in to comment.