95d1280885
dereference in vapic_write() CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch - bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref in sosendto() CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=404
32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
References: bsc#944697
|
|
|
|
From: P J P <address@hidden>
|
|
|
|
While processing transmit descriptors, it could lead to an infinite
|
|
loop if 'bytes' was to become zero; Add a check to avoid it.
|
|
|
|
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
|
|
descriptor fields to 0.
|
|
--Stefan]
|
|
|
|
Signed-off-by: P J P <address@hidden>
|
|
Signed-off-by: Stefan Hajnoczi <address@hidden>
|
|
---
|
|
hw/net/e1000.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
|
|
===================================================================
|
|
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
|
|
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
|
|
@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1
|
|
memmove(tp->data, tp->header, hdr);
|
|
tp->size = hdr;
|
|
}
|
|
- } while (split_size -= bytes);
|
|
+ split_size -= bytes;
|
|
+ } while (bytes && split_size);
|
|
} else if (!tp->tse && tp->cptse) {
|
|
// context descriptor TSE is not set, while data descriptor TSE is set
|
|
DBGOUT(TXERR, "TCP segmentaion Error\n");
|