xen/CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch

References: bsc#967090 CVE-2016-2392

When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/usb/dev-network.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -650,7 +650,8 @@ typedef struct USBNetState {
 
 static int is_rndis(USBNetState *s)
 {
-    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
+    return s->dev.config ?
+            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
 }
 
 static int ndis_query(USBNetState *s, uint32_t oid,
- bsc#954872 - L3: script block-dmmd not working as expected - libxl: error: libxl_dm.c block-dmmd - bsc#967101 - VUL-0: CVE-2016-2391: xen: usb: multiple eof_timers in ohci module leads to null pointer dereference CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch - bsc#967090 - VUL-0: CVE-2016-2392: xen: usb: null pointer dereference in remote NDIS control message handling CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch - bsc#965315 - VUL-0: CVE-2016-2270: xen: x86: inconsistent cachability flags on guest mappings (XSA-154) xsa154.patch xsa154-fix.patch - bsc#965317 - VUL-0: CVE-2016-2271: xen: VMX: guest user mode may crash guest with non-canonical RIP (XSA-170) xsa170.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=401 2016-02-22 21:37:58 +01:00			`References: bsc#967090 CVE-2016-2392`

			`When processing remote NDIS control message packets, the USB Net`
			`device emulator checks to see if the USB configuration descriptor`
			`object is of RNDIS type(2). But it does not check if it is null,`
			`which leads to a null dereference error. Add check to avoid it.`

			`Reported-by: Qinghao Tang <address@hidden>`
			`Signed-off-by: Prasad J Pandit <address@hidden>`
			`---`
			`hw/usb/dev-network.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c`
			`===================================================================`
			`--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c`
			`+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c`
			`@@ -650,7 +650,8 @@ typedef struct USBNetState {`

			`static int is_rndis(USBNetState *s)`
			`{`
			`- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;`
			`+ return s->dev.config ?`
			`+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;`
			`}`

			`static int ndis_query(USBNetState *s, uint32_t oid,`