File 0312-net-vmxnet-check-IP-header-length.patch of Package qemu.6354

From e957199f60d0464664f726d0c0f19c280c4d38d8 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 9 Aug 2016 16:49:47 +0530
Subject: [PATCH] net: vmxnet: check IP header length

Vmxnet3 device emulator when parsing packet headers does not check
for IP header length. It could lead to a OOB access when reading
further packet data. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 93060258ae748573ca7197204125a2670047896d)
[LY: CVE-2016-6835 BSC#994605]
Signed-off-by: Liang Yan <lyan@suse.com>
---
 hw/net/vmxnet_tx_pkt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index eef535454e..255a77ea10 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -176,6 +176,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
         }
 
         l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
+        if(l3_hdr->iov_len < sizeof(struct ip_header))
+        {
+            l3_hdr->iov_len = 0;
+            return false;
+        }
         pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
 
         /* copy optional IPv4 header data */