Hide Forgot
A buffer overflow vulnerability in mipsnet_ioport_write() function was found. Vulnerable code (hw/net/mipsnet.c): static void mipsnet_ioport_write(void *opaque, hwaddr addr, uint64_t val, unsigned int size) { MIPSnetState *s = opaque; addr &= 0x3f; trace_mipsnet_write(addr, val); switch (addr) { case MIPSNET_TX_DATA_COUNT: s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0;// set tx_count=0 s->tx_written = 0; break; ... case MIPSNET_TX_DATA_BUFFER: s->tx_buffer[s->tx_written++] = val; if (s->tx_written == s->tx_count) { // never get executed, causes the s->tx_buffer to overflow /* Send buffer. */ trace_mipsnet_send(s->tx_count); qemu_send_packet(qemu_get_queue(s->nic), s->tx_buffer, s->tx_count); s->tx_count = s->tx_written = 0; s->intctl |= MIPSNET_INTCTL_TXDONE; s->busy = 1; mipsnet_update_irq(s); } ... } s->tx_written can exceed the MAX_ETH_FRAME_SIZE causing s->tx_buffer to overflow.
Acknowledgments: Name: Li Qiang (Qihoo 360 Inc.)