Overview

File CVE-2016-7995-qemuu-usb-hcd-ehci-memory-leak-in-ehci_process_itd.patch of Package xen.4218

References: bsc#1003870 CVE-2016-7995

While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <address@hidden>
---
 hw/usb/hcd-ehci.c | 1 +
 1 file changed, 1 insertion(+)

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -1506,6 +1506,7 @@ static int ehci_process_itd(EHCIState *e
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 if (pg == 6) {
+                    qemu_sglist_destroy(&ehci->isgl);
                     return -1;  /* avoid page pg + 1 */
                 }
                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
openSUSE Build Service is sponsored by
Places