File CVE-2016-9776-qemut-net-mcf_fec-infinite-loop-w... of Package xen.8005

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-9776-qemut-net-mcf_fec-infinite-loop-while-receiving-data-in-mcf_fec_receive.patch of Package xen.8005

References: bsc#1013657 CVE-2016-9776

ColdFire Fast Ethernet Controller uses a receive buffer size
register(EMRBR) to hold maximum size of all receive buffers.
It is set by a user before any operation. If it was set to be
zero, ColdFire emulator would go into an infinite loop while
receiving data in mcf_fec_receive. Add check to avoid it.

Reported-by: Wjjzhang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/mcf_fec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
+++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
@@ -340,7 +340,7 @@ static void mcf_fec_write(void *opaque,
         s->tx_descriptor = s->etdsr;
         break;
     case 0x188:
-        s->emrbr = value & 0x7f0;
+        s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
         break;
     default:
         cpu_abort(cpu_single_env, "mcf_fec_write Bad address 0x%x\n",

Places

File CVE-2016-9776-qemut-net-mcf_fec-infinite-loop-while-receiving-data-in-mcf_fec_receive.patch of Package xen.8005

Places