cf91b1d
From: Prasad J Pandit <pjp@fedoraproject.org>
cf91b1d
Date: Thu, 7 Apr 2016 15:56:02 +0530
cf91b1d
Subject: [PATCH] net: mipsnet: check packet length against buffer
cf91b1d
cf91b1d
When receiving packets over MIPSnet network device, it uses
cf91b1d
receive buffer of size 1514 bytes. In case the controller
cf91b1d
accepts large(MTU) packets, it could lead to memory corruption.
cf91b1d
Add check to avoid it.
cf91b1d
cf91b1d
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
cf91b1d
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
cf91b1d
Signed-off-by: Jason Wang <jasowang@redhat.com>
cf91b1d
cf91b1d
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
cf91b1d
---
cf91b1d
 hw/net/mipsnet.c | 3 +++
cf91b1d
 1 file changed, 3 insertions(+)
cf91b1d
cf91b1d
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
cf91b1d
index 740cd98..cf8b823 100644
cf91b1d
--- a/hw/net/mipsnet.c
cf91b1d
+++ b/hw/net/mipsnet.c
cf91b1d
@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
cf91b1d
     if (!mipsnet_can_receive(nc))
cf91b1d
         return 0;
cf91b1d
 
cf91b1d
+    if (size >= sizeof(s->rx_buffer)) {
cf91b1d
+        return 0;
cf91b1d
+    }
cf91b1d
     s->busy = 1;
cf91b1d
 
cf91b1d
     /* Just accept everything. */