rtl8139: fix possible out of bound access
authorJason Wang <jasowang@redhat.com>
Wed, 30 May 2018 05:07:43 +0000 (13:07 +0800)
committerJason Wang <jasowang@redhat.com>
Fri, 19 Oct 2018 03:15:04 +0000 (11:15 +0800)
commit1a326646fef38782e5542280040ec3ea23e4a730
treed63fe13711ab56d492417ea97118134b48597783
parentfdc89e90fac40c5ca2686733df17b6423fb8d8fb
rtl8139: fix possible out of bound access

In rtl8139_do_receive(), we try to assign size_ to size which converts
from size_t to integer. This will cause troubles when size_ is greater
INT_MAX, this will lead a negative value in size and it can then pass
the check of size < MIN_BUF_SIZE which may lead out of bound access of
for both buf and buf1.

Fixing by converting the type of size to size_t.

CC: qemu-stable@nongnu.org
Reported-by: Daniel Shapira <daniel@twistlock.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
hw/net/rtl8139.c