Insufficient input validation in NE2000 card, written by Tavis Ormandy,

author ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>

Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)

committer ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>

Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)
author ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)
committer ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)
diff --git a/hw/ne2000.c b/hw/ne2000.c

index 1625c5538895881bcf83f6de5213cbace1e7a7f8..6d5aa56e17947c3e9577ed6f8520b832777fb8eb 100644 (file)
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -224,7 +224,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
  {
      NE2000State *s = opaque;
      uint8_t *p;
-    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
      uint8_t buf1[60];
      static const uint8_t broadcast_macaddr[6] = 
          { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -293,7 +293,10 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
  
      /* write packet data */
      while (size > 0) {
-        avail = s->stop - index;
+        if (index <= s->stop)
+            avail = s->stop - index;
+        else
+            avail = 0;
          len = size;
          if (len > avail)
              len = avail;
author	ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
	Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)
committer	ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
	Mon, 25 Jun 2007 13:47:44 +0000 (13:47 +0000)