File CVE-2016-8910-qemut-net-rtl8139-infinite-loop-w... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-8910-qemut-net-rtl8139-infinite-loop-while-transmit-in-Cplus-mode.patch of Package xen (Revision 32c66e2a7e6b1648f2747f3d0ae55290)

Currently displaying revision 32c66e2a7e6b1648f2747f3d0ae55290 , Show latest

References: bsc#1007157 CVE-2016-8910

Subject: net: rtl8139: limit processing of ring descriptors
From: Prasad J Pandit pjp@fedoraproject.org Fri Oct 21 17:39:29 2016 +0530
Date: Wed Oct 26 09:57:59 2016 +0800:
Git: c7c35916692fe010fef25ac338443d3fe40be225

RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.

Reported-by: Andrew Henderson <hendersa@icculus.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2367,7 +2367,7 @@ static void rtl8139_cplus_transmit(RTL81
 {
     int txcount = 0;
 
-    while (rtl8139_cplus_transmit_one(s))
+    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
     {
         ++txcount;
     }

Places

File CVE-2016-8910-qemut-net-rtl8139-infinite-loop-while-transmit-in-Cplus-mode.patch of Package xen (Revision 32c66e2a7e6b1648f2747f3d0ae55290)

Places