qemu/0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch

From: P J P <pjp@fedoraproject.org>
Date: Tue, 15 Sep 2015 16:46:59 +0530
Subject: [PATCH] net: avoid infinite loop when receiving
 packets(CVE-2015-5278)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
---
 hw/net/ne2000.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 3492db3..44a4264 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;
Fix typo causing qemu-img to link against entire world (bz #1260996) CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901) 2015-09-21 22:19:06 +00:00			`From: P J P <pjp@fedoraproject.org>`
			`Date: Tue, 15 Sep 2015 16:46:59 +0530`
			`Subject: [PATCH] net: avoid infinite loop when receiving`
			`packets(CVE-2015-5278)`

			`Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)`
			`bytes to process network packets. While receiving packets`
			`via ne2000_receive() routine, a local 'index' variable`
			`could exceed the ring buffer size, leading to an infinite`
			`loop situation.`

			`Reported-by: Qinghao Tang <luodalongde@gmail.com>`
			`Signed-off-by: P J P <pjp@fedoraproject.org>`
			`Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>`
			`(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)`
			`---`
			`hw/net/ne2000.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c`
			`index 3492db3..44a4264 100644`
			`--- a/hw/net/ne2000.c`
			`+++ b/hw/net/ne2000.c`
			`@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)`
			`if (index <= s->stop)`
			`avail = s->stop - index;`
			`else`
			`- avail = 0;`
			`+ break;`
			`len = size;`
			`if (len > avail)`
			`len = avail;`