net: cadence_gem: check packet size in gem_recieve

While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index 0c037a299311c80c97c7b0718c22a49e3cd7c4bf..8cd216c6ef88bbd52959a9603b7142e7f450f758 100644 (file)
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -659,6 +659,10 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size)
         unsigned crc_val;
         int      crc_offset;
 
+        if (size > sizeof(rxbuf) - sizeof(crc_val)) {
+            size = sizeof(rxbuf) - sizeof(crc_val);
+        }
+        bytes_to_copy = size;
         /* The application wants the FCS field, which QEMU does not provide.
          * We must try and caclculate one.
          */