update to 2.7
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
blobfc15768e5934b178fb4cfe9baca9a95494ffc5ef
1 From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Thu, 22 Sep 2016 16:02:37 +0530
4 Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count
6 ColdFire Fast Ethernet Controller uses buffer descriptors to manage
7 data flow to/fro receive & transmit queues. While transmitting
8 packets, it could continue to read buffer descriptors if a buffer
9 descriptor has length of zero and has crafted values in bd.flags.
10 Set upper limit to number of buffer descriptors.
12 Reported-by: Li Qiang <liqiang6-s@360.cn>
13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
14 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
15 Signed-off-by: Jason Wang <jasowang@redhat.com>
16 ---
17 hw/net/mcf_fec.c | 5 +++--
18 1 file changed, 3 insertions(+), 2 deletions(-)
20 diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
21 index 0ee8ad9..d31fea1 100644
22 --- a/hw/net/mcf_fec.c
23 +++ b/hw/net/mcf_fec.c
24 @@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
25 #define DPRINTF(fmt, ...) do {} while(0)
26 #endif
28 +#define FEC_MAX_DESC 1024
29 #define FEC_MAX_FRAME_SIZE 2032
31 typedef struct {
32 @@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
33 uint32_t addr;
34 mcf_fec_bd bd;
35 int frame_size;
36 - int len;
37 + int len, descnt = 0;
38 uint8_t frame[FEC_MAX_FRAME_SIZE];
39 uint8_t *ptr;
41 @@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
42 ptr = frame;
43 frame_size = 0;
44 addr = s->tx_descriptor;
45 - while (1) {
46 + while (descnt++ < FEC_MAX_DESC) {
47 mcf_fec_read_bd(&bd, addr);
48 DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
49 addr, bd.flags, bd.length, bd.data);
50 --
51 2.1.4