File CVE-2016-7995-qemuu-usb-hcd-ehci-memory-leak-in... of Package xen.5853

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-7995-qemuu-usb-hcd-ehci-memory-leak-in-ehci_process_itd.patch of Package xen.5853

References: bsc#1003870 CVE-2016-7995

While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <address@hidden>
---
 hw/usb/hcd-ehci.c | 1 +
 1 file changed, 1 insertion(+)

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -1506,6 +1506,7 @@ static int ehci_process_itd(EHCIState *e
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 if (pg == 6) {
+                    qemu_sglist_destroy(&ehci->isgl);
                     return -1;  /* avoid page pg + 1 */
                 }
                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

Places

File CVE-2016-7995-qemuu-usb-hcd-ehci-memory-leak-in-ehci_process_itd.patch of Package xen.5853

Places