+-- On Wed, 26 Oct 2016, Peter Maydell wrote --+ | The queue_tx function checks s->tx_fifo_len (because | it's about to put something into s->tx_fifo[]), but it | does not check anything about the values it puts into | tx_fifo[]. The do_tx function then does | packetnum = s->tx_fifo[i]; | p = &s->data[packetnum][0]; | where packetnum could be out of bounds.
Oh, sorry. Fixed in patch v3. | If the passed 'packet' value is greater than 31 or | negative then the function will invoke undefined | behaviour. If it's less than 32 but bigger than the | max number of packets then it will set allocated to | a value it ought not to be able to hold, which makes | the rest of the code harder to reason about. | | It can be set by malicious incoming vmstate data | (and by arranging for release_packet() to be called | with various out-of-bounds values, as described above). Sent patch v3. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
