diff options
author | P J P <pjp@fedoraproject.org> | 2015-09-15 16:46:59 +0530 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2015-09-15 12:51:14 +0100 |
commit | 737d2b3c41d59eb8f94ab7eb419b957938f24943 (patch) | |
tree | de751aa25c0ae9b3ddc10e5f142c3e703a4d991b | |
parent | 9bbdbc66e5765068dce76e9269dce4547afd8ad4 (diff) | |
download | qemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.tar.gz qemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.tar.bz2 qemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.zip |
net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-rw-r--r-- | hw/net/ne2000.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 3798a3b2f2..010f9efccd 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail; |