File CVE-2016-2392-qemuu-usb-null-pointer-dereferenc... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch of Package xen.10697

References: bsc#967090 CVE-2016-2392

When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/usb/dev-network.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -651,7 +651,8 @@ typedef struct USBNetState {
 
 static int is_rndis(USBNetState *s)
 {
-    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
+    return s->dev.config ?
+            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
 }
 
 static int ndis_query(USBNetState *s, uint32_t oid,

Places

File CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch of Package xen.10697

Places