File CVE-2018-17963-qemut-net-ignore-packets-with-large-size.patch of Package xen.openSUSE_Leap_42.3_Update
References: bsc#1111014 CVE-2018-17963
There should not be a reason for passing a packet size greater than
INT_MAX. It's usually a hint of bug somewhere, so ignore packet size
greater than INT_MAX in qemu_deliver_packet_iov()
CC: address@hidden
Reported-by: Daniel Shapira <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
net/net.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -449,10 +449,15 @@ ssize_t qemu_sendv_packet(VLANClientStat
{
VLANState *vlan = vc1->vlan;
VLANClientState *vc;
+ size_t size = calc_iov_length(iov, iovcnt);
ssize_t max_len = 0;
+ if (size > INT_MAX) {
+ return size;
+ }
+
if (vc1->link_down)
- return calc_iov_length(iov, iovcnt);
+ return size;
for (vc = vlan->first_client; vc != NULL; vc = vc->next) {
ssize_t len = 0;