On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote:
> On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote:
>> Backends could provide a packet whose length is greater than buffer
>> size. Check for this and truncate the packet to avoid rx buffer
>> overflow in this case.
>>
>> Cc: Prasad J Pandit <[email protected]>
>> Cc: [email protected]
>> Signed-off-by: Jason Wang <[email protected]>
> Reviewed-by: Michael S. Tsirkin <[email protected]>
Applied to my -net. Thanks.
>
>> ---
>> hw/net/pcnet.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
>> index 309c40b..1f4a3db 100644
>> --- a/hw/net/pcnet.c
>> +++ b/hw/net/pcnet.c
>> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const
>> uint8_t *buf, size_t size_)
>> int pktcount = 0;
>>
>> if (!s->looptest) {
>> + if (size > 4092) {
>> +#ifdef PCNET_DEBUG_RMD
>> + fprintf(stderr, "pcnet: truncates rx packet.\n");
>> +#endif
>> + size = 4092;
>> + }
>> memcpy(src, buf, size);
>> /* no need to compute the CRC */
>> src[size] = 0;
>> --
>> 2.5.0
>>
