From 737d2b3c41d59eb8f94ab7eb419b957938f24943 Mon Sep 17 00:00:00 2001 From: P J P Date: Tue, 15 Sep 2015 16:46:59 +0530 Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278) Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi --- hw/net/ne2000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 3798a3b2f2..010f9efccd 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail; -- cgit v1.2.3