net: cadence_gem: check packet size in gem_recieve

While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index de26609c9d8192d7b9a70fd8c002351f0c50cdc0..01534cf0884b0254a6c13369b7a2a78e7a7c8c12 100644 (file)
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -718,6 +718,10 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size)
     } else {
         unsigned crc_val;
 
+        if (size > sizeof(rxbuf) - sizeof(crc_val)) {
+            size = sizeof(rxbuf) - sizeof(crc_val);
+        }
+        bytes_to_copy = size;
         /* The application wants the FCS field, which QEMU does not provide.
          * We must try and calculate one.
          */