File CVE-2016-4001-qemuu-net-buffer-overflow-in-stellaris_enet-emulator.patch of Package xen.11319

References: bsc#975130 CVE-2016-4001

Subject: net: stellaris_enet: check packet length against receive buffer
From: Prasad J Pandit pjp@fedoraproject.org Fri Apr 8 11:33:48 2016 +0530
Date: Mon Apr 11 14:22:33 2016 +0100:
Git: 3a15cc0e1ee7168db0782133d2607a6bfa422d66

When receiving packets over Stellaris ethernet controller, it
uses receive buffer of size 2048 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/stellaris_enet.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/net/stellaris_enet.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/stellaris_enet.c
@@ -101,8 +101,18 @@ static ssize_t stellaris_enet_receive(Ne
     n = s->next_packet + s->np;
     if (n >= 31)
         n -= 31;
-    s->np++;
 
+    if (size >= sizeof(s->rx[n].data) - 6) {
+        /* If the packet won't fit into the
+         * emulated 2K RAM, this is reported
+         * as a FIFO overrun error.
+         */
+        s->ris |= SE_INT_FOV;
+        stellaris_enet_update(s);
+        return -1;
+    }
+
+    s->np++;
     s->rx[n].len = size + 6;
     p = s->rx[n].data;
     *(p++) = (size + 6);