File 2007-Do-not-copy-garbage-bytes-into-SNP-.patch of Package qemu.19799

From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 22 Jun 2016 09:07:20 +0100
Subject: Do not copy garbage bytes into SNP device path MAC address

The SNP device path includes the network device's MAC address within
the MAC_ADDR_DEVICE_PATH.MacAddress field.  We check that the
link-layer address will fit within this field, and then perform the
copy using the length of the destination buffer.

At 32 bytes, the MacAddress field is actually larger than the current
maximum iPXE link-layer address.  The copy therefore overflows the
source buffer, resulting in trailing garbage bytes being appended to
the device path's MacAddress.  This is invisible in debug messages,
since the DevicePathToText protocol will render only the length
implied by the interface type.

Fix by copying only the actual length of the link-layer address (which
we have already verified will not overflow the destination buffer).

Debugged-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 src/interface/efi/efi_snp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roms/ipxe/src/interface/efi/efi_snp.c b/roms/ipxe/src/interface/efi/efi_snp.c
index 3dfcc5e168da7628ee4871f84eee..51601743ef353a6a5c3740fdcc66 100644
--- a/roms/ipxe/src/interface/efi/efi_snp.c
+++ b/roms/ipxe/src/interface/efi/efi_snp.c
@@ -1049,7 +1049,7 @@ static int efi_snp_probe ( struct net_device *netdev ) {
 	macpath->Header.SubType = MSG_MAC_ADDR_DP;
 	macpath->Header.Length[0] = sizeof ( *macpath );
 	memcpy ( &macpath->MacAddress, netdev->ll_addr,
-		 sizeof ( macpath->MacAddress ) );
+		 netdev->ll_protocol->ll_addr_len );
 	macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto );
 	memset ( path_end, 0, sizeof ( *path_end ) );
 	path_end->Type = END_DEVICE_PATH_TYPE;