| commit | c2ab73fcbe79e0c751ab44cb6f42672f37a060e7 | |
| author | Cédric Le Goater <clg@kaod.org> | |
| Tue, 1 Sep 2020 12:21:50 +0000 (1 14:21 +0200) | ||
| committer | Cédric Le Goater <clg@kaod.org> | |
| Tue, 1 Sep 2020 12:21:50 +0000 (1 14:21 +0200) | ||
| tree | 58bb832393e4e57e5bc8d69912b1a6dd51d1f097 | treesnapshot (tar.gz zip) |
| parent | af6d66e23557a36491a06857a447d016f6cf9f33 | commitdiff |
ftgmac100: Fix integer overflow in ftgmac100_do_tx()
When inserting the VLAN tag in packets, memmove() can generate an
integer overflow for packets whose length is less than 12 bytes.
Move the VLAN insertion when the last segment of the frame is reached
and check length against the size of the ethernet header (14 bytes) to
avoid the crash. Return FTGMAC100_INT_XPKT_LOST status if the frame is
too small. This seems like a good modeling choice even if Aspeed does
not specify anything in that case.
Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Message-Id: <20200819100956.2216690-15-clg@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
When inserting the VLAN tag in packets, memmove() can generate an
integer overflow for packets whose length is less than 12 bytes.
Move the VLAN insertion when the last segment of the frame is reached
and check length against the size of the ethernet header (14 bytes) to
avoid the crash. Return FTGMAC100_INT_XPKT_LOST status if the frame is
too small. This seems like a good modeling choice even if Aspeed does
not specify anything in that case.
Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Message-Id: <20200819100956.2216690-15-clg@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
| hw/net/ftgmac100.c | diffblobblamehistory |