File CVE-2016-6834-qemuu-net-vmxnet3-an-infinite-loop-during-packet-fragmentation.patch of Package xen.6117

References: bsc#994421 CVE-2016-6834

Subject: net: check fragment length during fragmentation
From: Prasad J Pandit pjp@fedoraproject.org Thu Aug 4 13:00:14 2016 +0530
Date: Tue Aug 9 11:45:30 2016 +0800:
Git: ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05

Network transport abstraction layer supports packet fragmentation.
While fragmenting a packet, it checks for more fragments from
packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
@@ -543,7 +543,7 @@ static bool vmxnet_tx_pkt_do_sw_fragment
 
         fragment_offset += fragment_len;
 
-    } while (more_frags);
+    } while (fragment_len && more_frags);
 
     return true;
 }

Places

File CVE-2016-6834-qemuu-net-vmxnet3-an-infinite-loop-during-packet-fragmentation.patch of Package xen.6117

Places