qemu-stable
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel

From: Jason Wang
Subject: Re: [PATCH v2] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes
Date: Mon, 2 Aug 2021 12:03:00 +0800
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 

在 2021/7/29 下午8:48, Philippe Mathieu-Daudé 写道:

"hw/net/can: sja1000 fix buff2frame* when dlc is out of std CAN 8 bytes"

On 7/29/21 2:33 PM, Pavel Pisa wrote:

Problem reported by openEuler fuzz-sig group.

The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).

Cc: qemu-stable@nongnu.org


Reported-by: Qiang Ning <ningqiang1@huawei.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>



Applied.

Thanks





---
  hw/net/can/can_sja1000.c | 8 ++++++++
  1 file changed, 8 insertions(+)

diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 42d2f99dfb..34eea684ce 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff, 
qemu_can_frame *frame)
      }
      frame->can_dlc = buff[0] & 0x0f;
+ if (frame->can_dlc > 8) { 
+        frame->can_dlc = 8;
+    }
+
      if (buff[0] & 0x80) { /* Extended */
          frame->can_id |= QEMU_CAN_EFF_FLAG;
          frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
@@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff, 
qemu_can_frame *frame)
      }
      frame->can_dlc = buff[1] & 0x0f;
+ if (frame->can_dlc > 8) { 
+        frame->can_dlc = 8;
+    }
+
      for (i = 0; i < frame->can_dlc; i++) {
          frame->data[i] = buff[2 + i];
      }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]