8292994238
logging upon guest changing callback method (XSA-169) 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch - bsc#959387 - VUL-0: CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory leakage CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch - bsc#957988 - VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155) xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemut-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa155-qemut-xenfb.patch - bsc#959006 - VUL-0: CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state results in DoS CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch - bsc#958918 - VUL-0: CVE-2015-7549: xen: qemu pci: null pointer dereference issue CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch - bsc#958493 - VUL-0: CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch - bsc#958007 - VUL-0: CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164) xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=393
38 lines
1.5 KiB
Diff
38 lines
1.5 KiB
Diff
net: pcnet: add check to validate receive data size(CVE-2015-7504)
|
|
|
|
In loopback mode, pcnet_receive routine appends CRC code to the
|
|
receive buffer. If the data size given is same as the buffer size,
|
|
the appended CRC code overwrites 4 bytes after s->buffer. Added a
|
|
check to avoid that.
|
|
|
|
---
|
|
hw/net/pcnet.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
|
|
@@ -1106,7 +1106,7 @@ ssize_t pcnet_receive(NetClientState *nc
|
|
uint32_t fcs = ~0;
|
|
uint8_t *p = src;
|
|
|
|
- while (p != &src[size-4])
|
|
+ while (p != &src[size])
|
|
CRC(fcs, *p++);
|
|
crc_err = (*(uint32_t *)p != htonl(fcs));
|
|
}
|
|
@@ -1255,8 +1255,10 @@ static void pcnet_transmit(PCNetState *s
|
|
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
|
|
|
/* if multi-tmd packet outsizes s->buffer then skip it silently.
|
|
- Note: this is not what real hw does */
|
|
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
|
+ * Note: this is not what real hw does.
|
|
+ * Last four bytes of s->buffer are used to store CRC FCS code.
|
|
+ */
|
|
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
|
|
s->xmit_pos = -1;
|
|
goto txdone;
|
|
}
|