File CVE-2015-5278-qemut-Infinite-loop-in-ne2000_rec... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch of Package xen (Revision e246af6cb91b84df7145ba8c9bbf367c)

Currently displaying revision e246af6cb91b84df7145ba8c9bbf367c , Show latest

References: bsc#964947 CVE-2015-5278

Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278)
From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530
Date: Tue Sep 15 12:51:14 2015 +0100:
Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque,
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;

Places

File CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch of Package xen (Revision e246af6cb91b84df7145ba8c9bbf367c)

Places