50 lines
1.8 KiB
Diff
50 lines
1.8 KiB
Diff
From 967c8f6e799756baf95c025ba8107206c3afd398 Mon Sep 17 00:00:00 2001
|
|
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
|
|
Date: Thu, 28 Sep 2023 16:25:23 +0800
|
|
Subject: [PATCH] hw/net: Fix read of uninitialized memory in ftgmac100
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
cheery-pick from 036e98e5c2b4e25c8d6ccbddb85c7ab05a753f6a
|
|
|
|
With the `size += 4` before the call to `crc32`, the CRC calculation
|
|
would overrun the buffer. Size is used in the while loop starting on
|
|
line 1009 to determine how much data to write back, with the last
|
|
four bytes coming from `crc_ptr`, so do need to increase it, but should
|
|
do this after the computation.
|
|
|
|
I'm unsure why this use of uninitialized memory in the CRC doesn't
|
|
result in CRC errors, but it seems clear to me that it should not be
|
|
included in the calculation.
|
|
|
|
Signed-off-by: Stephen Longfield <slongfield@google.com>
|
|
Reviewed-by: Hao Wu <wuhaotsh@google.com>
|
|
Reviewed-by: Joel Stanley <joel@jms.id.au>
|
|
Message-Id: <20221220221437.3303721-1-slongfield@google.com>
|
|
Signed-off-by: Cédric Le Goater <clg@kaod.org>
|
|
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
|
|
---
|
|
hw/net/ftgmac100.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
|
|
index 83ef0a783e..d3bf14be53 100644
|
|
--- a/hw/net/ftgmac100.c
|
|
+++ b/hw/net/ftgmac100.c
|
|
@@ -980,9 +980,9 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf,
|
|
return size;
|
|
}
|
|
|
|
- /* 4 bytes for the CRC. */
|
|
- size += 4;
|
|
crc = cpu_to_be32(crc32(~0, buf, size));
|
|
+ /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */
|
|
+ size += 4;
|
|
crc_ptr = (uint8_t *) &crc;
|
|
|
|
/* Huge frames are truncated. */
|
|
--
|
|
2.41.0.windows.1
|
|
|