| Upstream-Status: Backport |
| |
| Backport patch to fix CVE-2016-7908 from: |
| |
| http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8c |
| |
| CVE: CVE-2016-7908 |
| |
| Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| --- |
| From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 |
| From: Prasad J Pandit <pjp@fedoraproject.org> |
| Date: Thu, 22 Sep 2016 16:02:37 +0530 |
| Subject: [PATCH] net: mcf: limit buffer descriptor count |
| |
| ColdFire Fast Ethernet Controller uses buffer descriptors to manage |
| data flow to/fro receive & transmit queues. While transmitting |
| packets, it could continue to read buffer descriptors if a buffer |
| descriptor has length of zero and has crafted values in bd.flags. |
| Set upper limit to number of buffer descriptors. |
| |
| Reported-by: Li Qiang <liqiang6-s@360.cn> |
| Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Jason Wang <jasowang@redhat.com> |
| --- |
| hw/net/mcf_fec.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c |
| index 0ee8ad9..d31fea1 100644 |
| --- a/hw/net/mcf_fec.c |
| +++ b/hw/net/mcf_fec.c |
| @@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) |
| #define DPRINTF(fmt, ...) do {} while(0) |
| #endif |
| |
| +#define FEC_MAX_DESC 1024 |
| #define FEC_MAX_FRAME_SIZE 2032 |
| |
| typedef struct { |
| @@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) |
| uint32_t addr; |
| mcf_fec_bd bd; |
| int frame_size; |
| - int len; |
| + int len, descnt = 0; |
| uint8_t frame[FEC_MAX_FRAME_SIZE]; |
| uint8_t *ptr; |
| |
| @@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) |
| ptr = frame; |
| frame_size = 0; |
| addr = s->tx_descriptor; |
| - while (1) { |
| + while (descnt++ < FEC_MAX_DESC) { |
| mcf_fec_read_bd(&bd, addr); |
| DPRINTF("tx_bd %x flags %04x len %d data %08x\n", |
| addr, bd.flags, bd.length, bd.data); |
| -- |
| 2.9.3 |
| |