File CVE-2016-7909-qemut-net-pcnet-infinite-loop-in-... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-7909-qemut-net-pcnet-infinite-loop-in-pcnet_rdra_addr.patch of Package xen.10697

References: bsc#1003032 CVE-2016-7909

The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.

Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/pcnet.c | 3 +++
 1 file changed, 3 insertions(+)

Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
+++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
@@ -1476,8 +1476,11 @@ static void pcnet_csr_writew(PCNetState
     case 47: /* POLLINT */
     case 72:
     case 74:
+        break;
     case 76: /* RCVRL */
     case 78: /* XMTRL */
+        val = (val > 0) ? val : 512;
+        break;
     case 112:
        if (CSR_STOP(s) || CSR_SPND(s))
            break;

Places

File CVE-2016-7909-qemut-net-pcnet-infinite-loop-in-pcnet_rdra_addr.patch of Package xen.10697

Places