Overview

File CVE-2018-17963-qemuu-net-ignore-packets-with-large-size.patch of Package xen.10697

References: bsc#1111014 CVE-2018-17963

There should not be a reason for passing a packet size greater than
INT_MAX. It's usually a hint of bug somewhere, so ignore packet size
greater than INT_MAX in qemu_deliver_packet_iov()

CC: address@hidden
Reported-by: Daniel Shapira <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
 net/net.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/net/net.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/net/net.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/net/net.c
@@ -509,10 +509,15 @@ ssize_t qemu_deliver_packet_iov(NetClien
                                 void *opaque)
 {
     NetClientState *nc = opaque;
+    size_t size = iov_size(iov, iovcnt);
     int ret;
 
+    if (size > INT_MAX) {
+        return size;
+    }
+
     if (nc->link_down) {
-        return iov_size(iov, iovcnt);
+        return size;
     }
 
     if (nc->receive_disabled) {
openSUSE Build Service is sponsored by
Places