From 8ad9e71fc937439730fa68e82d6da11a50eb5c04 Mon Sep 17 00:00:00 2001
From: P J P <pjp@fedoraproject.org>
Date: Tue, 15 Sep 2015 16:46:59 +0530
Subject: [PATCH] net: avoid infinite loop when receiving packets(CVE-2015-5278)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

upstream-commit-id: 737d2b3c41d59eb8f94ab7eb419b957938f24943

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
 hw/net/ne2000.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/tools/qemu-xen/hw/net/ne2000.c b/tools/qemu-xen/hw/net/ne2000.c
index 109ef4e..63f1960 100644
--- a/tools/qemu-xen/hw/net/ne2000.c
+++ b/tools/qemu-xen/hw/net/ne2000.c
@@ -256,7 +256,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;
-- 
1.7.2.5