Overview

File CVE-2016-6835-qemuu-net-vmxnet3-buffer-overflow-in-vmxnet_tx_pkt_parse_headers.patch of Package xen.7317

References: bsc#994625 CVE-2016-6835

Vmxnet3 device emulator when parsing packet headers does not check
for IP header length. It could lead to a OOB access when reading
further packet data. Add check to avoid it.

Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/vmxnet_tx_pkt.c | 5 +++++
 1 file changed, 5 insertions(+)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
@@ -177,6 +177,11 @@ static bool vmxnet_tx_pkt_parse_headers(
         }
 
         l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
+        if(l3_hdr->iov_len < sizeof(struct ip_header))
+        {
+            l3_hdr->iov_len = 0;
+            return false;
+        }
         pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
 
         /* copy optional IPv4 header data */
openSUSE Build Service is sponsored by
Places