qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Aurelien Jarno <aurelien@aurel32.net>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 card
Date: Sat, 23 Jun 2007 00:55:13 +0200	[thread overview]
Message-ID: <20070622225513.GA15510@farad.aurel32.net> (raw)

>From Debian Security Announce:

  CVE-2007-1321
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321

  Tavis Ormandy discovered that the NE2000 network driver and the socket
  code perform insufficient input validation, which might allow the
  execution of arbitrary code through a heap overflow.

The patch below is the patch used by the Debian package to fix this.


Index: hw/ne2000.c
===================================================================
--- hw/ne2000.c.orig	2007-05-16 06:42:14.000000000 +0300
+++ hw/ne2000.c	2007-05-16 06:42:15.000000000 +0300
@@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque,
 {
     NE2000State *s = opaque;
     uint8_t *p;
-    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
     uint8_t buf1[60];
     static const uint8_t broadcast_macaddr[6] = 
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque,
 
     /* write packet data */
     while (size > 0) {
-        avail = s->stop - index;
+        /* taviso: this can wrap, so check its okay. */
+        if (index <= s->stop)
+            avail = s->stop - index;
+        else
+            avail = 0;
         len = size;
         if (len > avail)
             len = avail;


-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

                 reply	other threads:[~2007-06-22 22:55 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070622225513.GA15510@farad.aurel32.net \
    --to=aurelien@aurel32.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).