1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From: P J P <pjp@fedoraproject.org>
Date: Fri, 4 Sep 2015 17:21:06 +0100
Subject: e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
Commit-Id: b947ac2bf26479e710489739c465c8af336599e7
Bug-Debian: http://bugs.debian.org/798101
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
hw/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index b1d8508..ce185a4 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -585,7 +585,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
memmove(tp->data, tp->header, hdr);
tp->size = hdr;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentation error\n");
--
2.1.4
|
