-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1
 
 iQEbBAABAgAGBQJVeEPbAAoJEJykq7OBq3PIroMH+IPgOCb4VL5TLqviUqfKVor+
 Z4QRqAgUurSjtYj5kqAmLkoelP4HBjPngvW2JVwbYICuOcq9Pd+koB309yKRHw+M
 rW4TDhshonM/PUrf82cOXdkJUT+d+3FRYidZn3KXRbm+CEkyVOdNOPPefGD1ohVf
 azeocOqkYVZlMcIvf+CMgZc8xN0+WIzDYPfDFUfzEWrdYHL02GqTbpy7KeD4mlEV
 AGLy2W6ndYnhlvQI3Eums4+DLKqcFiZMZUMi/t+S2viYCCY0MQ3OtDQlWkB2wiDw
 +y8VqV720nWeIuCvzXq/yb7UeLHaEUjPqkBGUOFcDg0EQXtUMv6WIRLALXSoCQ==
 =6r65
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into staging

# gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request:
  pcnet: force the buffer access to be in bounds during tx

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/net/pcnet.c

@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
         }
 
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
+           Note: this is not what real hw does */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+            s->xmit_pos = -1;
+            goto txdone;
+        }
+
         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
         s->xmit_pos += bcnt;