From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35171) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zbox1-0008GY-Gl for qemu-devel@nongnu.org; Tue, 15 Sep 2015 08:03:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zboww-000309-V1 for qemu-devel@nongnu.org; Tue, 15 Sep 2015 08:03:07 -0400 From: Stefan Hajnoczi Date: Tue, 15 Sep 2015 13:02:31 +0100 Message-Id: <1442318551-27609-4-git-send-email-stefanha@redhat.com> In-Reply-To: <1442318551-27609-1-git-send-email-stefanha@redhat.com> References: <1442318551-27609-1-git-send-email-stefanha@redhat.com> Subject: [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , qemu-stable@nongnu.org, Stefan Hajnoczi , P J P From: P J P Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang Signed-off-by: P J P Signed-off-by: Stefan Hajnoczi --- hw/net/ne2000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index 3798a3b..010f9ef 100644 --- a/hw/net/ne2000.c +++ b/hw/net/ne2000.c @@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) if (index <= s->stop) avail = s->stop - index; else - avail = 0; + break; len = size; if (len > avail) len = avail; -- 2.4.3