References: bsc#964947 CVE-2015-5278 Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278) From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530 Date: Tue Sep 15 12:51:14 2015 +0100: Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943 Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c @@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque, if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail;