Blame qemu.trad.CVE-2016-9776.patch
|
|
59baea1 |
From 77d54985b85a0cb760330ec2bd92505e0a2a97a9 Mon Sep 17 00:00:00 2001
|
|
|
59baea1 |
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
59baea1 |
Date: Tue, 29 Nov 2016 00:38:39 +0530
|
|
|
59baea1 |
Subject: [PATCH] net: mcf: check receive buffer size register value
|
|
|
59baea1 |
|
|
|
59baea1 |
ColdFire Fast Ethernet Controller uses a receive buffer size
|
|
|
59baea1 |
register(EMRBR) to hold maximum size of all receive buffers.
|
|
|
59baea1 |
It is set by a user before any operation. If it was set to be
|
|
|
59baea1 |
zero, ColdFire emulator would go into an infinite loop while
|
|
|
59baea1 |
receiving data in mcf_fec_receive. Add check to avoid it.
|
|
|
59baea1 |
|
|
|
59baea1 |
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
|
|
59baea1 |
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
59baea1 |
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
59baea1 |
---
|
|
|
59baea1 |
hw/net/mcf_fec.c | 2 +-
|
|
|
59baea1 |
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
|
59baea1 |
|
|
|
59baea1 |
diff --git a/hw/mcf_fec.c b/hw/mcf_fec.c
|
|
|
59baea1 |
index dc61bac..4025eb3 100644
|
|
|
59baea1 |
--- a/hw/mcf_fec.c
|
|
|
59baea1 |
+++ b/hw/mcf_fec.c
|
|
|
59baea1 |
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
|
|
|
59baea1 |
s->tx_descriptor = s->etdsr;
|
|
|
59baea1 |
break;
|
|
|
59baea1 |
case 0x188:
|
|
|
59baea1 |
- s->emrbr = value & 0x7f0;
|
|
|
59baea1 |
+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
|
|
|
59baea1 |
break;
|
|
|
59baea1 |
default:
|
|
|
59baea1 |
cpu_abort(cpu_single_env, "mcf_fec_write Bad address 0x%x\n",
|
|
|
59baea1 |
--
|
|
|
59baea1 |
1.7.0.4
|
|
|
59baea1 |
|