Commit 0ae045ae439ad83692ad039a554f7d62acf9de5c
1 parent
aec62507
Insufficient input validation in NE2000 card, written by Tavis Ormandy,
contributed by Aurelien Jarno. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3019 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
5 additions
and
2 deletions
hw/ne2000.c
| ... | ... | @@ -224,7 +224,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) |
| 224 | 224 | { |
| 225 | 225 | NE2000State *s = opaque; |
| 226 | 226 | uint8_t *p; |
| 227 | - int total_len, next, avail, len, index, mcast_idx; | |
| 227 | + unsigned int total_len, next, avail, len, index, mcast_idx; | |
| 228 | 228 | uint8_t buf1[60]; |
| 229 | 229 | static const uint8_t broadcast_macaddr[6] = |
| 230 | 230 | { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; |
| ... | ... | @@ -293,7 +293,10 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) |
| 293 | 293 | |
| 294 | 294 | /* write packet data */ |
| 295 | 295 | while (size > 0) { |
| 296 | - avail = s->stop - index; | |
| 296 | + if (index <= s->stop) | |
| 297 | + avail = s->stop - index; | |
| 298 | + else | |
| 299 | + avail = 0; | |
| 297 | 300 | len = size; |
| 298 | 301 | if (len > avail) |
| 299 | 302 | len = avail; | ... | ... |