From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1I1s2B-0005Kt-Ek
	for qemu-devel@nongnu.org; Fri, 22 Jun 2007 18:55:19 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1I1s28-0005Kh-2A
	for qemu-devel@nongnu.org; Fri, 22 Jun 2007 18:55:18 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1I1s27-0005Ke-T7
	for qemu-devel@nongnu.org; Fri, 22 Jun 2007 18:55:15 -0400
Received: from farad.aurel32.net ([82.232.2.251] helo=mail.aurel32.net)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <aurel32@farad.aurel32.net>)
	id 1I1s27-00077l-BK
	for qemu-devel@nongnu.org; Fri, 22 Jun 2007 18:55:15 -0400
Received: from farad.aurel32.net ([2001:618:400:fc13:216:3eff:fe00:100c])
	by mail.aurel32.net with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63) (envelope-from <aurel32@farad.aurel32.net>)
	id 1I1s25-00081q-Oo
	for qemu-devel@nongnu.org; Sat, 23 Jun 2007 00:55:13 +0200
Received: from aurel32 by farad.aurel32.net with local (Exim 4.63)
	(envelope-from <aurel32@farad.aurel32.net>) id 1I1s25-00042J-Gw
	for qemu-devel@nongnu.org; Sat, 23 Jun 2007 00:55:13 +0200
Date: Sat, 23 Jun 2007 00:55:13 +0200
From: Aurelien Jarno <aurelien@aurel32.net>
Message-ID: <20070622225513.GA15510@farad.aurel32.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Subject: [Qemu-devel] [PATCH,
	Security] insufficient input validation in NE2000 card
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

>>From Debian Security Announce:

  CVE-2007-1321
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321

  Tavis Ormandy discovered that the NE2000 network driver and the socket
  code perform insufficient input validation, which might allow the
  execution of arbitrary code through a heap overflow.

The patch below is the patch used by the Debian package to fix this.


Index: hw/ne2000.c
===================================================================
--- hw/ne2000.c.orig	2007-05-16 06:42:14.000000000 +0300
+++ hw/ne2000.c	2007-05-16 06:42:15.000000000 +0300
@@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque,
 {
     NE2000State *s = opaque;
     uint8_t *p;
-    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
     uint8_t buf1[60];
     static const uint8_t broadcast_macaddr[6] = 
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque,
 
     /* write packet data */
     while (size > 0) {
-        avail = s->stop - index;
+        /* taviso: this can wrap, so check its okay. */
+        if (index <= s->stop)
+            avail = s->stop - index;
+        else
+            avail = 0;
         len = size;
         if (len > avail)
             len = avail;


-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net