rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
3d039dc5d8
qemu/0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch
Cole Robinson 3d039dc5d8 CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) 
CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040)
CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578)
CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598)
CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699)
CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137)
CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497)
2017-07-12 18:19:21 -04:00

35 lines
1.2 KiB
Diff
Raw Blame History

From: Dmitry Fleytman <dmitry@daynix.com>
Date: Thu, 16 Feb 2017 14:29:35 +0200
Subject: [PATCH] NetRxPkt: Account buffer with ETH header in IOV length
In case of VLAN stripping ETH header is stored in a
separate chunk and length of IOV should take this into
account.
This patch fixes checksum validation for RX packets
with VLAN header.
Devices affected by this problem: e1000e and vmxnet3.
Cc: qemu-stable@nongnu.org
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit c5d083c561a4f5297cc2e44a2f3cef3324d77a88)
---
hw/net/net_rx_pkt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index d38babec88..c7ae33d0d3 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -97,7 +97,7 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff,
- pkt->tot_len - pkt->ehdr_buf_len);
+ pkt->tot_len - pkt->ehdr_buf_len) + 1;
} else {
net_rx_pkt_iovec_realloc(pkt, iovcnt);
Reference in New Issue View Git Blame Copy Permalink