Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.7653
CVE-2016-6888-qemuu-net-vmxnet3-integer-overflo...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-6888-qemuu-net-vmxnet3-integer-overflow-in-packet-initialisation-in-vmxnet3.patch of Package xen.7653
References: bsc#994772 CVE-2016-6888 When network transport abstraction layer initialises pkt, the maximum fragmentation count is not checked. This could lead to an integer overflow causing a NULL pointer dereference. Replace g_malloc() with g_new() to catch the multiplication overflow. Reported-by: Li Qiang <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> Acked-by: Dmitry Fleytman <address@hidden> Signed-off-by: Jason Wang <address@hidden> --- hw/net/net_tx_pkt.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c =================================================================== --- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c +++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c @@ -59,10 +59,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxP { struct VmxnetTxPkt *p = g_malloc0(sizeof *p); - p->vec = g_malloc((sizeof *p->vec) * - (max_frags + VMXNET_TX_PKT_PL_START_FRAG)); + p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG); - p->raw = g_malloc((sizeof *p->raw) * max_frags); + p->raw = g_new(struct iovec, max_frags); p->max_payload_frags = max_frags; p->max_raw_frags = max_frags;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor