peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch

cf8819
From: P J P <pjp@fedoraproject.org>
cf8819
Date: Tue, 15 Sep 2015 16:46:59 +0530
cf8819
Subject: [PATCH] net: avoid infinite loop when receiving
cf8819
 packets(CVE-2015-5278)
cf8819
cf8819
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
cf8819
bytes to process network packets. While receiving packets
cf8819
via ne2000_receive() routine, a local 'index' variable
cf8819
could exceed the ring buffer size, leading to an infinite
cf8819
loop situation.
cf8819
cf8819
Reported-by: Qinghao Tang <luodalongde@gmail.com>
cf8819
Signed-off-by: P J P <pjp@fedoraproject.org>
cf8819
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
cf8819
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
cf8819
---
cf8819
 hw/net/ne2000.c | 2 +-
cf8819
 1 file changed, 1 insertion(+), 1 deletion(-)
cf8819
cf8819
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
cf8819
index 3492db3..44a4264 100644
cf8819
--- a/hw/net/ne2000.c
cf8819
+++ b/hw/net/ne2000.c
cf8819
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
cf8819
         if (index <= s->stop)
cf8819
             avail = s->stop - index;
cf8819
         else
cf8819
-            avail = 0;
cf8819
+            break;
cf8819
         len = size;
cf8819
         if (len > avail)
cf8819
             len = avail;