Blame qemu.trad.CVE-2015-7512.patch
|
|
34cdd53 |
From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001
|
|
|
34cdd53 |
From: Jason Wang <jasowang@redhat.com>
|
|
|
34cdd53 |
Date: Mon, 30 Nov 2015 15:00:06 +0800
|
|
|
34cdd53 |
Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
|
|
|
34cdd53 |
|
|
|
34cdd53 |
Backends could provide a packet whose length is greater than buffer
|
|
|
34cdd53 |
size. Check for this and truncate the packet to avoid rx buffer
|
|
|
34cdd53 |
overflow in this case.
|
|
|
34cdd53 |
|
|
|
34cdd53 |
Cc: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
34cdd53 |
Cc: qemu-stable@nongnu.org
|
|
|
34cdd53 |
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
34cdd53 |
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
34cdd53 |
---
|
|
|
34cdd53 |
tools/qemu-xen-traditional/hw/pcnet.c | 6 ++++++
|
|
|
34cdd53 |
1 files changed, 6 insertions(+), 0 deletions(-)
|
|
|
34cdd53 |
|
|
|
34cdd53 |
diff --git a/tools/qemu-xen-traditional/hw/pcnet.c b/tools/qemu-xen-traditional/hw/pcnet.c
|
|
|
34cdd53 |
index 309c40b..1f4a3db 100644
|
|
|
34cdd53 |
--- a/tools/qemu-xen-traditional/hw/pcnet.c
|
|
|
34cdd53 |
+++ b/tools/qemu-xen-traditional/hw/pcnet.c
|
|
|
34cdd53 |
@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
|
|
34cdd53 |
int pktcount = 0;
|
|
|
34cdd53 |
|
|
|
34cdd53 |
if (!s->looptest) {
|
|
|
34cdd53 |
+ if (size > 4092) {
|
|
|
34cdd53 |
+#ifdef PCNET_DEBUG_RMD
|
|
|
34cdd53 |
+ fprintf(stderr, "pcnet: truncates rx packet.\n");
|
|
|
34cdd53 |
+#endif
|
|
|
34cdd53 |
+ size = 4092;
|
|
|
34cdd53 |
+ }
|
|
|
34cdd53 |
memcpy(src, buf, size);
|
|
|
34cdd53 |
/* no need to compute the CRC */
|
|
|
34cdd53 |
src[size] = 0;
|
|
|
34cdd53 |
--
|
|
|
34cdd53 |
1.7.0.4
|
|
|
34cdd53 |
|