OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes

Browse Source 
Problem reported by openEuler fuzz-sig group.

The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).

Reported-by: Qiang Ning <ningqiang1@huawei.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
This commit is contained in:
Pavel Pisa 2021-07-29 14:33:27 +02:00 committed by Jason Wang
parent 9010b0c7a9
commit 11744862f2
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/net/can/can_sja1000.c
View File

@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, qemu_can_frame *frame)
}
frame->can_dlc = buff[0] & 0x0f;
if (frame->can_dlc > 8) {
frame->can_dlc = 8;
}
if (buff[0] & 0x80) { /* Extended */
frame->can_id |= QEMU_CAN_EFF_FLAG;
frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, qemu_can_frame *frame)
}
frame->can_dlc = buff[1] & 0x0f;
if (frame->can_dlc > 8) {
frame->can_dlc = 8;
}
for (i = 0; i < frame->can_dlc; i++) {
frame->data[i] = buff[2 + i];
}