diff options
| -rw-r--r-- | hw/net/xilinx_ethlite.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c index 54db2b83bd..35de353b7c 100644 --- a/hw/net/xilinx_ethlite.c +++ b/hw/net/xilinx_ethlite.c @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) } D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { + D(qemu_log("ethlite packet is too big, size=%x\n", size)); + return -1; + } memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; |