xen/CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch

References: bsc#964947 CVE-2015-5278

Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278)
From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530
Date: Tue Sep 15 12:51:14 2015 +0100:
Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque,
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;
- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397 2016-02-03 22:39:15 +01:00			`References: bsc#964947 CVE-2015-5278`

			`Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278)`
			`From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530`
			`Date: Tue Sep 15 12:51:14 2015 +0100:`
			`Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943`

			`Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)`
			`bytes to process network packets. While receiving packets`
			`via ne2000_receive() routine, a local 'index' variable`
			`could exceed the ring buffer size, leading to an infinite`
			`loop situation.`

			`Reported-by: Qinghao Tang <luodalongde@gmail.com>`
			`Signed-off-by: P J P <pjp@fedoraproject.org>`
			`Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>`

			`Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c`
			`===================================================================`
			`--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c`
			`+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c`
			`@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque,`
			`if (index <= s->stop)`
			`avail = s->stop - index;`
			`else`
			`- avail = 0;`
			`+ break;`
			`len = size;`
			`if (len > avail)`
			`len = avail;`