From b7f162a68696ea14af398de7584cfaf9f2de4509 Mon Sep 17 00:00:00 2001 From: P J P Date: Mon, 31 Oct 2016 15:58:47 -0600 Subject: [PATCH] net: imx: limit buffer descriptor count i.MX Fast Ethernet Controller uses buffer descriptors to manage data flow to/fro receive & transmit queues. While transmitting packets, it could continue to read buffer descriptors if a buffer descriptor has length of zero and has crafted values in bd.flags. Set an upper limit to number of buffer descriptors. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit [BR: CVE-2016-7907 BSC#1002549] Signed-off-by: Bruce Rogers --- hw/net/imx_fec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c index 1c415ab..1d74827 100644 --- a/hw/net/imx_fec.c +++ b/hw/net/imx_fec.c @@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = { #define PHY_INT_PARFAULT (1 << 2) #define PHY_INT_AUTONEG_PAGE (1 << 1) +#define IMX_MAX_DESC 1024 + static void imx_eth_update(IMXFECState *s); /* @@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) static void imx_fec_do_tx(IMXFECState *s) { - int frame_size = 0; + int frame_size = 0, descnt = 0; uint8_t frame[ENET_MAX_FRAME_SIZE]; uint8_t *ptr = frame; uint32_t addr = s->tx_descriptor; - while (1) { + while (descnt++ < IMX_MAX_DESC) { IMXFECBufDesc bd; int len;