summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch
blob: 69c11e27d905402efada58ef9e564635ebfa135a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Apr 2016 15:56:02 +0530
Subject: [PATCH] net: mipsnet: check packet length against buffer

When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Upstream-Status: Backport
CVE: CVE-2016-4002
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 hw/net/mipsnet.c | 3 +++
 1 file changed, 3 insertions(+)

Index: qemu-2.4.0/hw/net/mipsnet.c
===================================================================
--- qemu-2.4.0.orig/hw/net/mipsnet.c
+++ qemu-2.4.0/hw/net/mipsnet.c
@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient
     if (!mipsnet_can_receive(nc))
         return 0;
 
+    if (size >= sizeof(s->rx_buffer)) {
+        return 0;
+    }
     s->busy = 1;
 
     /* Just accept everything. */