From nobody Mon Mar 2 08:46:28 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1772128597; cv=none; d=zohomail.com; s=zohoarc; b=QEtGO/RYy9M/aUkA96zlcSqj23HChJIWqzB/eiosKKg5G8X063XL+TZzYfr/komwks2g2/+JqzRkI9hJcHCOarNIP/NXnqlxOAJmpW0n8DNpgqb6vai2q/ssTWXaZ90o1opsMNjtX1e4rEASmwHfp20OC6KBLYAFhO0w105A0L4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772128597; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=z+x9GYorM5G7Ev1ETF6SyHFY+h48DhPDf57BTit2zdo=; b=NfQ/1snjmvU8mOQjGHcGmj1mi3QkjhBL8YQT/ZlULakoUr4E6uBzWO8lPM+qd63rd3ccWUC5RavGAr8QanLn1nRawxJ60nI2ivMf4xQFpOzlyNkWVD9VF8CjVYw0x4Rt+TE4vxOCYHA8uLk8zdK29fRuohSgAnjDthVZM0KmxFA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772128597005689.3081256914987; Thu, 26 Feb 2026 09:56:37 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vvfae-0001DT-6M; Thu, 26 Feb 2026 12:55:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vvfac-0001CS-85 for qemu-devel@nongnu.org; Thu, 26 Feb 2026 12:55:54 -0500 Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1vvfaa-00016W-HB for qemu-devel@nongnu.org; Thu, 26 Feb 2026 12:55:53 -0500 Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-4398dd671daso1257322f8f.0 for ; Thu, 26 Feb 2026 09:55:52 -0800 (PST) Received: from lanath.. (wildly.archaic.org.uk. [81.2.115.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4399c75b19esm843372f8f.25.2026.02.26.09.55.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 09:55:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1772128551; x=1772733351; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=z+x9GYorM5G7Ev1ETF6SyHFY+h48DhPDf57BTit2zdo=; b=vV5vVkrRToW/MimEP76iHHjqWHAlVw5x4/AscJ/cpEpD50nXp/GEA5S/0XmsTz4aPR kGQ0sz+/5r+IOPHeTAbeAhL6JMBdGRaMdgowKSxzEfuONZAzLoS5UrN95f5hPx+ZuyE/ JLo0FZ9PZjgPe+etUXx3WUDZXWGxhxCzNac5+oDX53du+21B4sRbUply17qjLC5burMR EbXJP1vLOVRSrMj3Py32Q4AZ+zbPk8izP7lRpikC2N0HCPFMEpiPQu1kqBABx+PSGSld Co70+asaSjtQtn6JHkLFYqXIcohIdW8rGTX68Tjgw8/svde8pfJaiO5zCObewzlXfKKx DupA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772128551; x=1772733351; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=z+x9GYorM5G7Ev1ETF6SyHFY+h48DhPDf57BTit2zdo=; b=Angh/aROTX16YvI3st0bs2BSYvg5fixJTdfwJoi8YxmDQq6/sFK52xQuNE1WtH/jAj +7hOTbGJU2pUbCP2O8txe3Zo7hXSUgWdTfvLvDG6wQpGYoC65YtCjZAIHsPxEmv8MRTr nnddm7fpZMiKcu0f8/qLAzXXisyJaNFRCEKnnV6HkJU0l90T2W8BYaGje2M8AJscpVL2 Lw00k5toSNCLlfPgjPBuMdFB6dycC+UMZhtTWmWtXxhT6I4IG6RghLQtnO8e/sO2mekK TrJQbEHO0SWOMPRw8IJpAcLdHVKzlz4evcJxYO/XMwFm3Bk8J+TmImpR1CWOWjfYKwI3 C12A== X-Forwarded-Encrypted: i=1; AJvYcCXgAvCZ7tfD931B2bbX16r+z6ZkY7VJ2CPUebBRuodgvSbCFTy3otBegByF+EhwFiXW2l1SZgCb0A2d@nongnu.org X-Gm-Message-State: AOJu0YyBr+xQhnMd6pgnkMc2JKcuUOHgVoO8aOu+3dABqi1KLlArZV1p K90iNsVwKT0uK7sMasY5fGfqCjx3zTpN6FT98+F+VcRNmYIlYGvXuKmx9uLP6tvey9g= X-Gm-Gg: ATEYQzzj2b3cVUWFJW9UOvEgg99dxDlkUw89V2PKfm1qJKinehoPWND4ZhLSYVGKRzQ AiOBDyYYraWUxKVpi5sa/g8h23bJX0hmGOlVaPsO/ms1TZMn6//cSSNyoSJUkbqBdDi0soT+mO4 z5hnGvgZcrjcZT5F9Poakk6p5sTT4/WEVYdYdbFp2b7biILHojKVdo9QeKB38FxngSrqRA7UG+z sFllcn/CL/pnswRQ0qJ3X6gFNvK1/OSwnQGeq9adx/w4g4afoXyt4vjI0v9O4YUxILnhkhxuWvZ CFWnNrgwZHtO9r96QXPIQdF1fLRrygWUrbe2t9o/6di9F5j7C2cJkIdO0A3YAA+2GgoaSyaptlK WDsWQyJUI1GmAIiA0me2Q1LXAkV5hCs1XDKovvgAO/UR2RbD0Oi/lCGZQNXEp5HEpq4jmHDlBvz bvB9WDym3Cfa9fHW4cubIdRqgKO4tXg2ZOvbwUqvw3QMN0lQzpwvO25/8RIlpj9nid37dIsLUg3 0b7DgmGoU3dsvYYZnMUQvzcBqnOEGk= X-Received: by 2002:a05:6000:400a:b0:436:3732:cfa6 with SMTP id ffacd0b85a97d-43997f46206mr6733906f8f.53.1772128550671; Thu, 26 Feb 2026 09:55:50 -0800 (PST) From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Jason Wang Subject: [PATCH] hw/net/smc91c111: Don't allow negative-length packets Date: Thu, 26 Feb 2026 17:55:49 +0000 Message-ID: <20260226175549.1319476-1-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::436; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x436.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1772128598344158500 Content-Type: text/plain; charset="utf-8" The smc91c111 data frame format in memory (figure 8-1 in the datasheet) includes a "byte count" field which is intended to be the total size of the data frame, including not just the packet data but also the leading and trailing information like the status word and the byte count field itself. It is therefore possible for the guest to set this to a value so small that the leading and trailing fields won't fit and the packet has effectively a negative area. We weren't checking for this, with the result that when we subtract 6 from the length to get the length of the packet proper we end up with a negative length, which is then inconsistently handled in the qemu_send_packet() code such that we can try to transmit a very large amount of data and read off the end of the device's data array. Treat excessively small length values the same way we do excessively large values. As with the oversized case, the datasheet does not describe what happens for this software error case, and there is no relevant tx error condition for this, so we just log and drop the packet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/net/smc91c111.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c index 3420d8e28e..3b526524fb 100644 --- a/hw/net/smc91c111.c +++ b/hw/net/smc91c111.c @@ -30,6 +30,12 @@ * LAN91C111 datasheet). */ #define MAX_PACKET_SIZE 2048 +/* + * Size of the non-data fields in a data frame: status word, + * byte count, control byte, and last data byte; this defines + * the smallest value the byte count in the frame can validly be. + */ +#define MIN_PACKET_SIZE 6 =20 #define TYPE_SMC91C111 "smc91c111" OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111) @@ -289,7 +295,7 @@ static void smc91c111_do_tx(smc91c111_state *s) *(p++) =3D 0x40; len =3D *(p++); len |=3D ((int)*(p++)) << 8; - if (len > MAX_PACKET_SIZE) { + if (len < MIN_PACKET_SIZE || len > MAX_PACKET_SIZE) { /* * Datasheet doesn't say what to do here, and there is no * relevant tx error condition listed. Log, and drop the packe= t. @@ -300,7 +306,13 @@ static void smc91c111_do_tx(smc91c111_state *s) smc91c111_complete_tx_packet(s, packetnum); continue; } - len -=3D 6; + /* + * Convert from size of the data frame to number of bytes of + * actual packet data. Whether the "last data byte" field is + * included in the packet depends on the ODD bit in the control + * byte at the end of the frame. + */ + len -=3D MIN_PACKET_SIZE; control =3D p[len + 1]; if (control & 0x20) len++; --=20 2.43.0