From: P J P Date: Fri, 4 Sep 2015 17:21:06 +0100 Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) While processing transmit descriptors, it could lead to an infinite loop if 'bytes' was to become zero; Add a check to avoid it. [The guest can force 'bytes' to 0 by setting the hdr_len and mss descriptor fields to 0. --Stefan] Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi Reviewed-by: Thomas Huth Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com (cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7) --- hw/net/e1000.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 091d61a..f02b9ce 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -737,7 +737,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) memmove(tp->data, tp->header, tp->hdr_len); tp->size = tp->hdr_len; } - } while (split_size -= bytes); + split_size -= bytes; + } while (bytes && split_size); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentation error\n");