Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
qemu-linux-user.3557
0205-pcnet-fix-rx-buffer-overflow-CVE-20.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0205-pcnet-fix-rx-buffer-overflow-CVE-20.patch of Package qemu-linux-user.3557
From bc8e247997d7f2c72935a1a84ae2ff50903e2e74 Mon Sep 17 00:00:00 2001 From: Jason Wang <jasowang@redhat.com> Date: Mon, 30 Nov 2015 00:40:00 -0700 Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> [BR: BSC#957162] Signed-off-by: Bruce Rogers <brogers@suse.com> --- hw/net/pcnet.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 069e90b..381ceb2 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1087,6 +1087,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) int pktcount = 0; if (!s->looptest) { + if (size > 4092) { +#ifdef PCNET_DEBUG_RMD + fprintf(stderr, "pcnet: truncates rx packet.\n"); +#endif + size = 4092; + } memcpy(src, buf, size); /* no need to compute the CRC */ src[size] = 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor