Google Git
Sign in
fuchsia / third_party / qemu / a43790f2f6155597e120409f467a3d41de3cfb53
commita43790f2f6155597e120409f467a3d41de3cfb53[log] [tgz]
authorPeter Maydell <peter.maydell@linaro.org>Thu Mar 12 20:16:38 2020 +0000
committerJason Wang <jasowang@redhat.com>Tue Mar 31 21:14:35 2020 +0800
treea5aa64318813bbfaeef494b0156d18b37b394b6d
parentbaba731bc6e7920ec2dca7d449b6bf7d42e4901f [diff]
hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()

The i82596_receive() function attempts to pass the guest a buffer
which is effectively the concatenation of the data it is passed and a
4 byte CRC value.  However, rather than implementing this as "write
the data; then write the CRC" it instead bumps the length value of
the data by 4, and writes 4 extra bytes from beyond the end of the
buffer, which it then overwrites with the CRC.  It also assumed that
we could always fit all four bytes of the CRC into the final receive
buffer, which might not be true if the CRC needs to be split over two
receive buffers.

Calculate separately how many bytes we need to transfer into the
guest's receive buffer from the source buffer, and how many we need
to transfer from the CRC work.

We add a count 'bufsz' of the number of bytes left in the source
buffer, which we use purely to assert() that we don't overrun.

Spotted by Coverity (CID 1419396) for the specific case when we end
up using a local array as the source buffer.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed
tree: a5aa64318813bbfaeef494b0156d18b37b394b6d
  1. .gitlab-ci.d/
  2. accel/
  3. audio/
  4. authz/
  5. backends/
  6. block/
  7. bsd-user/
  8. chardev/
  9. contrib/
  10. crypto/
  11. default-configs/
  12. disas/
  13. docs/
  14. dump/
  15. fpu/
  16. fsdev/
  17. gdb-xml/
  18. hw/
  19. include/
  20. io/
  21. libdecnumber/
  22. linux-headers/
  23. linux-user/
  24. migration/
  25. monitor/
  26. nbd/
  27. net/
  28. pc-bios/
  29. plugins/
  30. po/
  31. python/
  32. qapi/
  33. qga/
  34. qobject/
  35. qom/
  36. replay/
  37. roms/
  38. scripts/
  39. scsi/
  40. softmmu/
  41. storage-daemon/
  42. stubs/
  43. target/
  44. tcg/
  45. tests/
  46. tools/
  47. trace/
  48. ui/
  49. util/
  50. capstone
  51. dtc
  52. slirp
  53. .cirrus.yml
  54. .dir-locals.el
  55. .editorconfig
  56. .exrc
  57. .gdbinit
  58. .gitignore
  59. .gitlab-ci-edk2.yml
  60. .gitlab-ci-opensbi.yml
  61. .gitlab-ci.yml
  62. .gitmodules
  63. .gitpublish
  64. .mailmap
  65. .patchew.yml
  66. .readthedocs.yml
  67. .shippable.yml
  68. .travis.yml
  69. arch_init.c
  70. balloon.c
  71. block.c
  72. blockdev-nbd.c
  73. blockdev.c
  74. blockjob.c
  75. bootdevice.c
  76. Changelog
  77. CODING_STYLE.rst
  78. configure
  79. COPYING
  80. COPYING.LIB
  81. cpus-common.c
  82. cpus.c
  83. device_tree.c
  84. disas.c
  85. dma-helpers.c
  86. exec-vary.c
  87. exec.c
  88. gdbstub.c
  89. gitdm.config
  90. hmp-commands-info.hx
  91. hmp-commands.hx
  92. ioport.c
  93. iothread.c
  94. job-qmp.c
  95. job.c
  96. Kconfig.host
  97. LICENSE
  98. MAINTAINERS
  99. Makefile
  100. Makefile.objs
  101. Makefile.target
  102. memory.c
  103. memory_ldst.inc.c
  104. memory_mapping.c
  105. module-common.c
  106. os-posix.c
  107. os-win32.c
  108. qdev-monitor.c
  109. qemu-bridge-helper.c
  110. qemu-edid.c
  111. qemu-img-cmds.hx
  112. qemu-img.c
  113. qemu-io-cmds.c
  114. qemu-io.c
  115. qemu-keymap.c
  116. qemu-nbd.c
  117. qemu-options-wrapper.h
  118. qemu-options.h
  119. qemu-options.hx
  120. qemu-seccomp.c
  121. qemu-storage-daemon.c
  122. qemu.nsi
  123. qemu.sasl
  124. qtest.c
  125. README.rst
  126. replication.c
  127. replication.h
  128. rules.mak
  129. thunk.c
  130. tpm.c
  131. trace-events
  132. VERSION
  133. version.rc