File CVE-2016-7909-qemut-net-pcnet-infinite-loop-in-pcnet_rdra_addr.patch of Package xen.openSUSE_Leap_42.3_Update
References: bsc#1003032 CVE-2016-7909
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
@@ -1476,8 +1476,11 @@ static void pcnet_csr_writew(PCNetState
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;