e1000: bounds packet size against buffer size
Otherwise we can write beyond the buffer and corrupt memory. This is tracked as CVE-2012-0029. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
parent
520c0d8d27
commit
65f82df0d7
@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
bytes = split_size;
|
||||
if (tp->size + bytes > msh)
|
||||
bytes = msh - tp->size;
|
||||
|
||||
bytes = MIN(sizeof(tp->data) - tp->size, bytes);
|
||||
pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
|
||||
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
|
||||
memmove(tp->header, tp->data, hdr);
|
||||
@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
// context descriptor TSE is not set, while data descriptor TSE is set
|
||||
DBGOUT(TXERR, "TCP segmentaion Error\n");
|
||||
} else {
|
||||
split_size = MIN(sizeof(tp->data) - tp->size, split_size);
|
||||
pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
|
||||
tp->size += split_size;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user