"hw/net/can: sja1000 fix buff2frame* when dlc is out of std CAN 8 bytes"
On 7/29/21 2:33 PM, Pavel Pisa wrote: > Problem reported by openEuler fuzz-sig group. > > The buff2frame_bas function (hw\net\can\can_sja1000.c) > infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x). Cc: qemu-sta...@nongnu.org > Reported-by: Qiang Ning <ningqia...@huawei.com> > Signed-off-by: Pavel Pisa <p...@cmp.felk.cvut.cz> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> > --- > hw/net/can/can_sja1000.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c > index 42d2f99dfb..34eea684ce 100644 > --- a/hw/net/can/can_sja1000.c > +++ b/hw/net/can/can_sja1000.c > @@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, > qemu_can_frame *frame) > } > frame->can_dlc = buff[0] & 0x0f; > > + if (frame->can_dlc > 8) { > + frame->can_dlc = 8; > + } > + > if (buff[0] & 0x80) { /* Extended */ > frame->can_id |= QEMU_CAN_EFF_FLAG; > frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */ > @@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, > qemu_can_frame *frame) > } > frame->can_dlc = buff[1] & 0x0f; > > + if (frame->can_dlc > 8) { > + frame->can_dlc = 8; > + } > + > for (i = 0; i < frame->can_dlc; i++) { > frame->data[i] = buff[2 + i]; > } >