a3fa63d2ce
CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901)
33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From: P J P <pjp@fedoraproject.org>
|
|
Date: Tue, 15 Sep 2015 16:46:59 +0530
|
|
Subject: [PATCH] net: avoid infinite loop when receiving
|
|
packets(CVE-2015-5278)
|
|
|
|
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
|
bytes to process network packets. While receiving packets
|
|
via ne2000_receive() routine, a local 'index' variable
|
|
could exceed the ring buffer size, leading to an infinite
|
|
loop situation.
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Signed-off-by: P J P <pjp@fedoraproject.org>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
|
|
---
|
|
hw/net/ne2000.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
|
index 3492db3..44a4264 100644
|
|
--- a/hw/net/ne2000.c
|
|
+++ b/hw/net/ne2000.c
|
|
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
|
if (index <= s->stop)
|
|
avail = s->stop - index;
|
|
else
|
|
- avail = 0;
|
|
+ break;
|
|
len = size;
|
|
if (len > avail)
|
|
len = avail;
|