Commit 737d2b3c authored Sep 15, 2015 by P J P Committed by Stefan Hajnoczi Sep 15, 2015

net: avoid infinite loop when receiving packets(CVE-2015-5278)



Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

parent 9bbdbc66

hw/net/ne2000.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
		if (index <= s->stop)
		avail = s->stop - index;
		else
		avail = 0;
		break;
		len = size;
		if (len > avail)
		len = avail;