a3fa63
From: P J P <pjp@fedoraproject.org>
a3fa63
Date: Fri, 4 Sep 2015 17:21:06 +0100
a3fa63
Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
a3fa63
 (CVE-2015-6815)
a3fa63
a3fa63
While processing transmit descriptors, it could lead to an infinite
a3fa63
loop if 'bytes' was to become zero; Add a check to avoid it.
a3fa63
a3fa63
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
a3fa63
descriptor fields to 0.
a3fa63
--Stefan]
a3fa63
a3fa63
Signed-off-by: P J P <pjp@fedoraproject.org>
a3fa63
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
a3fa63
Reviewed-by: Thomas Huth <thuth@redhat.com>
a3fa63
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
a3fa63
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
a3fa63
---
a3fa63
 hw/net/e1000.c | 3 ++-
a3fa63
 1 file changed, 2 insertions(+), 1 deletion(-)
a3fa63
a3fa63
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
a3fa63
index 091d61a..f02b9ce 100644
a3fa63
--- a/hw/net/e1000.c
a3fa63
+++ b/hw/net/e1000.c
a3fa63
@@ -737,7 +737,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
a3fa63
                 memmove(tp->data, tp->header, tp->hdr_len);
a3fa63
                 tp->size = tp->hdr_len;
a3fa63
             }
a3fa63
-        } while (split_size -= bytes);
a3fa63
+            split_size -= bytes;
a3fa63
+        } while (bytes && split_size);
a3fa63
     } else if (!tp->tse && tp->cptse) {
a3fa63
         // context descriptor TSE is not set, while data descriptor TSE is set
a3fa63
         DBGOUT(TXERR, "TCP segmentation error\n");