motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-03 07:43:54 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

net: avoid infinite loop when receiving packets(CVE-2015-5278)

Browse source 
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
P J P 2015-09-15 16:46:59 +05:30 committed by Stefan Hajnoczi
parent 9bbdbc66e5
commit 737d2b3c41
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hw/net/ne2000.c
View file

@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
if (index <= s->stop)
avail = s->stop - index;
else
avail = 0;
break;
len = size;
if (len > avail)
len = avail;