| blob | 5b34ecfb28ebc4601007f401dbd1fff1359d716b |
1 From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Thu, 31 Dec 2015 17:05:27 +0530
4 Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
6 While doing ioport r/w operations, ne2000 device emulation suffers
7 from OOB r/w errors. Update respective array bounds check to avoid
8 OOB access.
10 Reported-by: Ling Liu <liuling-it@360.cn>
11 Cc: qemu-stable@nongnu.org
12 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13 Signed-off-by: Jason Wang <jasowang@redhat.com>
14 ---
15 hw/net/ne2000.c | 10 ++++++----
16 1 file changed, 6 insertions(+), 4 deletions(-)
18 diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
19 index 010f9ef..a3dffff 100644
20 --- a/hw/net/ne2000.c
21 +++ b/hw/net/ne2000.c
22 @@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
23 uint32_t val)
24 {
25 addr &= ~1; /* XXX: check exact behaviour if not even */
26 - if (addr < 32 ||
27 - (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
28 + if (addr < 32
29 + || (addr >= NE2000_PMEM_START
30 + && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
31 stl_le_p(s->mem + addr, val);
32 }
33 }
34 @@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
35 static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
36 {
37 addr &= ~1; /* XXX: check exact behaviour if not even */
38 - if (addr < 32 ||
39 - (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
40 + if (addr < 32
41 + || (addr >= NE2000_PMEM_START
42 + && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
43 return ldl_le_p(s->mem + addr);
44 } else {
45 return 0xffffffff;
46 --
47 2.1.4