git.ipfire.org Git - thirdparty/qemu.git/commit

author	Peter Maydell <peter.maydell@linaro.org>
	Fri, 28 Feb 2025 17:48:00 +0000 (17:48 +0000)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Sat, 22 Mar 2025 07:52:51 +0000 (10:52 +0300)
commit	486405f88648049aec7da72b7f99a11f85dd1556
tree	3b29188b2d23bafd7404816a580890a26c5892ef	tree \| snapshot
parent	1507587d30fd1fced747999e839b3e09a5ad6540	commit \| diff

hw/net/smc91c111: Sanitize packet length on tx

When the smc91c111 transmits a packet, it must read a control byte
which is at the end of the data area and CRC.  However, we don't
sanitize the length field in the packet buffer, so if the guest sets
the length field to something large we will try to read past the end
of the packet data buffer when we access the control byte.

As usual, the datasheet says nothing about the behaviour of the
hardware if the guest misprograms it in this way.  It says only that
the maximum valid length is 2048 bytes.  We choose to log the guest
error and silently drop the packet.

This requires us to factor out the "mark the tx packet as complete"
logic, so we can call it for this "drop packet" case as well as at
the end of the loop when we send a valid packet.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2742
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250228174802.1945417-3-peter.maydell@linaro.org>
[PMD: Update smc91c111_do_tx() as len > MAX_PACKET_SIZE]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit aad6f264add3f2be72acb660816588fe09110069)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>