1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From: P J P <pjp@fedoraproject.org>
Date: Tue, 15 Sep 2015 16:46:59 +0530
Subject: net: avoid infinite loop when receiving packets (CVE-2015-5278)
Commit-Id: 737d2b3c41d59eb8f94ab7eb419b957938f24943
Bug-Debian: http://bugs.debian.org/799073
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/ne2000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 3798a3b..010f9ef 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
if (index <= s->stop)
avail = s->stop - index;
else
- avail = 0;
+ break;
len = size;
if (len > avail)
len = avail;
--
2.1.4
|
