File 0168-net-check-fragment-length-during-fr.patch of Package qemu.12301

From c7e5d5ce05849e5721f996fc970ec667fe0b2f3d Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 4 Aug 2016 13:00:14 +0530
Subject: [PATCH] net: check fragment length during fragmentation

Network transport abstraction layer supports packet fragmentation.
While fragmenting a packet, it checks for more fragments from
packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05)
[LY: CVE-2016-6834 BSC#994418]
Signed-off-by: Liang Yan <lyan@suse.com>
---
 hw/net/vmxnet_tx_pkt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index c12f522167..eef535454e 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -542,7 +542,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
 
         fragment_offset += fragment_len;
 
-    } while (more_frags);
+    } while (fragment_len && more_frags);
 
     return true;
 }