lan9118 bug peeked received message size not equal to actual received message size

Bug #1904954 reported by alfred gedeon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

peeked message size is not equal to read message size

Bug in the code at line:
https://github.com/qemu/qemu/blob/master/hw/net/lan9118.c#L1209

s->tx_status_fifo_head should be s->rx_status_fifo_head

Could also be a security bug, as the user could allocate a buffer of size peeked data smaller than the actual packet received, which could cause a buffer overflow.

Thanks,

Alfred

alfred gedeon (alfred2g)
description: updated
alfred gedeon (alfred2g)
description: updated
description: updated
alfred gedeon (alfred2g)
summary: - lan9118 bug peeking receive massage size not equal to received message
- size
+ lan9118 bug peeked received message size not equal to actual received
+ message size
Revision history for this message
Peter Maydell (pmaydell) wrote :

Do you have a test case that will reproduce this bug ?

Revision history for this message
Peter Maydell (pmaydell) wrote :

(The line of code you point out is pretty clearly wrong; it would just be nice to have a test case to confirm that the obvious fix works.)

Revision history for this message
Peter Maydell (pmaydell) wrote :

This patchset should fix this bug:
https://<email address hidden>/

PS: this isn't a security issue because the lan9118 is used only on board models that can't run under KVM and so it is not on QEMU's security boundary.

Peter Maydell (pmaydell)
Changed in qemu:
status: New → In Progress
Revision history for this message
alfred gedeon (alfred2g) wrote :

We do have some code, that is giving different results, between the peeked and the actual:

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/blob/9a25860e761036a9eb780799c9db632e3eff60c9/portable/NetworkInterface/MPS2_AN385/NetworkInterface.c#L237

We also have a fix to circumvent the problem by just reading the actual size and omit the peeked bytes.

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/pull/142

changing the code i pointed locally worked fine, but we can't expect all our users to compile qemu from scratch and apply a patch

Alfred

Revision history for this message
Peter Maydell (pmaydell) wrote :

Fix now in master: commit e7e29fdbbe07f.

Changed in qemu:
status: In Progress → Fix Committed
Thomas Huth (th-huth)
tags: added: networking
removed: netwroking
Thomas Huth (th-huth)
Changed in qemu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers