File CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch of Package xen (Revision d52ab9fb5315180828e9e6153fd9632d)

Currently displaying revision d52ab9fb5315180828e9e6153fd9632d , Show latest

References: bsc#969351 CVE-2016-2841

From: Prasad J Pandit <address@hidden>

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. Registers PSTART & PSTOP
define ring buffer size & location. Setting these registers
to invalid values could lead to infinite loop or OOB r/w
access issues. Add check to avoid it.

Reported-by: Yang Hongke <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/ne2000.c | 4 ++++
 1 file changed, 4 insertions(+)

Update per review:
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html

Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -202,6 +202,10 @@ static int ne2000_buffer_full(NE2000Stat
 {
     int avail, index, boundary;
 
+    if (s->stop <= s->start) {
+        return 1;
+    }
+
     index = s->curpag << 8;
     boundary = s->boundary << 8;
     if (index < boundary)

Places

File CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch of Package xen (Revision d52ab9fb5315180828e9e6153fd9632d)

Places