File CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch of Package xen.1589

References: bsc#956832 CVE-2015-8345

From: Prasad J Pandit <address@hidden>
Date: Fri, 16 Oct 2015 11:33:27 +0530
Subject: eepro100: prevent an infinite loop over same command block

action_command() routine executes a chain of commands located
in the Command Block List(CBL). Each Command Block(CB) has a
link to the next CB in the list, given by 's->tx.link'.
This is used in conjunction with the base address 's->cu_base'.

An infinite loop unfolds if the 'link' to the next CB is
same as the previous one, the loop ends up executing the same
command over and over again.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/net/eepro100.c | 2 ++
 1 file changed, 2 insertions(+)

Index: xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
===================================================================
--- xen-4.4.3-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c
+++ xen-4.4.3-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
@@ -863,6 +863,8 @@ static void action_command(EEPRO100State
         uint16_t ok_status = STATUS_OK;
         s->cb_address = s->cu_base + s->cu_offset;
         read_cb(s);
+        if (s->tx.link == s->cu_offset)
+            break;
         bit_el = ((s->tx.command & COMMAND_EL) != 0);
         bit_s = ((s->tx.command & COMMAND_S) != 0);
         bit_i = ((s->tx.command & COMMAND_I) != 0);