The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
}
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
+ return -1;
+ }
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;