ne2000: fix possible out of bound access in ne2000_receive
commitfdc89e90fac40c5ca2686733df17b6423fb8d8fb
authorJason Wang <jasowang@redhat.com>
Wed, 30 May 2018 05:08:15 +0000 (30 13:08 +0800)
committerJason Wang <jasowang@redhat.com>
Fri, 19 Oct 2018 03:15:04 +0000 (19 11:15 +0800)
tree6ae4a9fd42ded7ab3f77a3b4a3455592975c6dbe
parent7da2d99fb9fbf30104125c061caaff330e362d74
ne2000: fix possible out of bound access in ne2000_receive

In ne2000_receive(), we try to assign size_ to size which converts
from size_t to integer. This will cause troubles when size_ is greater
INT_MAX, this will lead a negative value in size and it can then pass
the check of size < MIN_BUF_SIZE which may lead out of bound access of
for both buf and buf1.

Fixing by converting the type of size to size_t.

CC: qemu-stable@nongnu.org
Reported-by: Daniel Shapira <daniel@twistlock.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
hw/net/ne2000.c