From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52987)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1bmlf3-0000Cr-42
	for qemu-devel@nongnu.org; Wed, 21 Sep 2016 13:50:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1bmley-0002yU-66
	for qemu-devel@nongnu.org; Wed, 21 Sep 2016 13:50:21 -0400
Received: from mx1.redhat.com ([209.132.183.28]:35716)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1bmley-0002yQ-0c
	for qemu-devel@nongnu.org; Wed, 21 Sep 2016 13:50:16 -0400
Date: Wed, 21 Sep 2016 23:20:05 +0530 (IST)
From: P J P <ppandit@redhat.com>
In-Reply-To: <99c87ec2-40d3-3b7d-8e11-f2e90cc3a2ec@redhat.com>
Message-ID: <alpine.LFD.2.20.1609212316040.2677@wniryva>
References: <1474465547-31638-1-git-send-email-ppandit@redhat.com>
	<99c87ec2-40d3-3b7d-8e11-f2e90cc3a2ec@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>, Jason Wang <jasowang@redhat.com>, Li Qiang <liqiang6-s@360.cn>

+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| On 21/09/2016 15:45, P J P wrote:
| >          DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
| >                  addr, bd.flags, bd.length, bd.data);
| > -        if ((bd.flags & FEC_BD_R) == 0) {
| > +        if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
| >              /* Run out of descriptors to transmit.  */
| >              break;
| >          }
| 
| Is this a bug?

  Yes, a guest user can control the contents of buffer descriptor 'bd' and 
could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop 
run infinite iterations.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F