This patchset fixes some potential array overflows in the smc91c111 ethernet device model, including the one found in https://gitlab.com/qemu-project/qemu/-/issues/2742
There are two classes of bugs: * we accept packet numbers from the guest, but we were not validating that they were in range before using them as an index into the data[][] array * we didn't sanitize the length field read from the data frame on tx before using it as an index to find the control byte at the end of the frame, so we could read off the end of the buffer This patchset fixes both of these. The datasheet is sadly silent on the h/w behaviour for these errors, so I opted to LOG_GUEST_ERROR and silently ignore the invalid operations. Patch 3 tidies up the existing code to use a constant defined in patch 2; I put it last so we can cc the first two patches to stable without having to also backport that patch. thanks -- PMM Peter Maydell (3): hw/net/smc91c111: Sanitize packet numbers hw/net/smc91c111: Sanitize packet length on tx hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers hw/net/smc91c111.c | 87 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 79 insertions(+), 8 deletions(-) -- 2.43.0
