Overview

File CVE-2018-17963-qemut-net-ignore-packets-with-large-size.patch of Package xen

References: bsc#1111014 CVE-2018-17963

There should not be a reason for passing a packet size greater than
INT_MAX. It's usually a hint of bug somewhere, so ignore packet size
greater than INT_MAX in qemu_deliver_packet_iov()

CC: address@hidden
Reported-by: Daniel Shapira <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
 net/net.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -449,10 +449,15 @@ ssize_t qemu_sendv_packet(VLANClientStat
 {
     VLANState *vlan = vc1->vlan;
     VLANClientState *vc;
+    size_t size = calc_iov_length(iov, iovcnt);
     ssize_t max_len = 0;
 
+    if (size > INT_MAX) {
+        return size;
+    }
+
     if (vc1->link_down)
-        return calc_iov_length(iov, iovcnt);
+        return size;
 
     for (vc = vlan->first_client; vc != NULL; vc = vc->next) {
         ssize_t len = 0;
openSUSE Build Service is sponsored by
Places