a3fa63d2ce
CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901)
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From: P J P <pjp@fedoraproject.org>
|
|
Date: Fri, 4 Sep 2015 17:21:06 +0100
|
|
Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
|
|
(CVE-2015-6815)
|
|
|
|
While processing transmit descriptors, it could lead to an infinite
|
|
loop if 'bytes' was to become zero; Add a check to avoid it.
|
|
|
|
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
|
|
descriptor fields to 0.
|
|
--Stefan]
|
|
|
|
Signed-off-by: P J P <pjp@fedoraproject.org>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
|
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
|
|
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
|
|
---
|
|
hw/net/e1000.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
|
index 091d61a..f02b9ce 100644
|
|
--- a/hw/net/e1000.c
|
|
+++ b/hw/net/e1000.c
|
|
@@ -737,7 +737,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
|
memmove(tp->data, tp->header, tp->hdr_len);
|
|
tp->size = tp->hdr_len;
|
|
}
|
|
- } while (split_size -= bytes);
|
|
+ split_size -= bytes;
|
|
+ } while (bytes && split_size);
|
|
} else if (!tp->tse && tp->cptse) {
|
|
// context descriptor TSE is not set, while data descriptor TSE is set
|
|
DBGOUT(TXERR, "TCP segmentation error\n");
|