File CVE-2015-8743-qemut-ne2000-OOB-memory-access-in-ioport-rw-functions.patch of Package xen.7317

From: Prasad J Pandit <address@hidden>

While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.

Reported-by: Ling Liu <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/ne2000.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Updated as per review in
  -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04863.html

Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -541,7 +541,8 @@ static inline void ne2000_mem_writel(NE2
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
     if (addr < 32 || 
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE - 2)) {
+        (addr >= NE2000_PMEM_START &&
+            addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         cpu_to_le32wu((uint32_t *)(s->mem + addr), val);
     }
 }
@@ -571,7 +572,8 @@ static inline uint32_t ne2000_mem_readl(
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
     if (addr < 32 || 
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE - 2)) {
+        (addr >= NE2000_PMEM_START &&
+            addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         return le32_to_cpupu((uint32_t *)(s->mem + addr));
     } else {
         return 0xffffffff;