A new user interface for you! Read more...

File 0003-e1000-fix-access-4-bytes-beyond-buffer-end.patch of Package xen

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 12 Jul 2010 20:24:59 +0300
Subject: e1000: fix access 4 bytes beyond buffer end
Patch-mainline: v0.13.0-rc0
Git-commit: b0b900070c7cb29bbefb732ec00397abe5de6d73
References: bnc#840196

We do range check for size, and get size as buffer,
but copy size + 4 bytes (4 is for FCS).
Let's copy size bytes but put size + 4 in length.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Michal Kubecek <mkubecek@suse.cz>
---
 tools/qemu-xen-traditional-dir-remote/hw/e1000.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/qemu-xen-traditional-dir-remote/hw/e1000.c b/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
index c75bc5e..9b062db 100644
--- a/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ b/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -659,7 +659,6 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
     }
 
     rdh_start = s->mac_reg[RDH];
-    size += 4; // for the header
     do {
         if (s->mac_reg[RDH] == s->mac_reg[RDT] && s->check_rxov) {
             set_ics(s, 0, E1000_ICS_RXO);
@@ -673,7 +672,7 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
         if (desc.buffer_addr) {
             cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr),
                                       (void *)(buf + vlan_offset), size);
-            desc.length = cpu_to_le16(size);
+            desc.length = cpu_to_le16(size + 4 /* for FCS */);
             desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM;
         } else // as per intel docs; skip descriptors with null buf addr
             DBGOUT(RX, "Null RX descriptor!!\n");
-- 
1.8.1.4