References: bsc#956832 CVE-2015-8345

From: Prasad J Pandit <address@hidden>
Date: Fri, 16 Oct 2015 11:33:27 +0530
Subject: eepro100: prevent an infinite loop over same command block

action_command() routine executes a chain of commands located
in the Command Block List(CBL). Each Command Block(CB) has a
link to the next CB in the list, given by 's->tx.link'.
This is used in conjunction with the base address 's->cu_base'.

An infinite loop unfolds if the 'link' to the next CB is
same as the previous one, the loop ends up executing the same
command over and over again.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/eepro100.c | 2 ++
 1 file changed, 2 insertions(+)

Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100
       next_command:
         cb_address = s->cu_base + s->cu_offset;
         cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
+        if (tx.link == s->cu_offset)
+            break;
         uint16_t status = le16_to_cpu(tx.status);
         uint16_t command = le16_to_cpu(tx.command);
         logout