rpms / qemu

Clone
Source Code
GIT

Blame 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch

c10s-sig-hyperscale c8s-sig-hyperscale c9s-sig-hyperscale
  1.   cf8819083b589a21198683d5a7c7065226df0bd2
  2.   0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
Blob History Raw
cf8819 
From: P J P <pjp@fedoraproject.org>
cf8819 
Date: Tue, 15 Sep 2015 16:46:59 +0530
cf8819 
Subject: [PATCH] net: avoid infinite loop when receiving
cf8819 
 packets(CVE-2015-5278)
cf8819
cf8819 
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
cf8819 
bytes to process network packets. While receiving packets
cf8819 
via ne2000_receive() routine, a local 'index' variable
cf8819 
could exceed the ring buffer size, leading to an infinite
cf8819 
loop situation.
cf8819
cf8819 
Reported-by: Qinghao Tang <luodalongde@gmail.com>
cf8819 
Signed-off-by: P J P <pjp@fedoraproject.org>
cf8819 
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
cf8819 
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
cf8819 
---
cf8819 
 hw/net/ne2000.c | 2 +-
cf8819 
 1 file changed, 1 insertion(+), 1 deletion(-)
cf8819
cf8819 
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
cf8819 
index 3492db3..44a4264 100644
cf8819 
--- a/hw/net/ne2000.c
cf8819 
+++ b/hw/net/ne2000.c
cf8819 
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
cf8819 
         if (index <= s->stop)
cf8819 
             avail = s->stop - index;
cf8819 
         else
cf8819 
-            avail = 0;
cf8819 
+            break;
cf8819 
         len = size;
cf8819 
         if (len > avail)
cf8819 
             len = avail;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation