debian/patches/old/0002-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch

   1 From 59fb70f22143eccdf74639871e862df0c2f570fc Mon Sep 17 00:00:00 2001
   2 From: Jason Wang <jasowang@redhat.com>
   3 Date: Mon, 30 Nov 2015 15:38:23 +0800
   4 Subject: [PATCH 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
   5
   6 Backends could provide a packet whose length is greater than buffer
   7 size. Check for this and truncate the packet to avoid rx buffer
   8 overflow in this case.
   9
  10 Cc: Prasad J Pandit <pjp@fedoraproject.org>
  11 Cc: qemu-stable@nongnu.org
  12 Signed-off-by: Jason Wang <jasowang@redhat.com>
  13 ---
  14  hw/net/pcnet.c | 6 ++++++
  15  1 file changed, 6 insertions(+)
  16
  17 diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
  18 index 309c40b..1f4a3db 100644
  19 --- a/hw/net/pcnet.c
  20 +++ b/hw/net/pcnet.c
  21 @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
  22              int pktcount = 0;
  23
  24              if (!s->looptest) {
  25 +                if (size > 4092) {
  26 +#ifdef PCNET_DEBUG_RMD
  27 +                    fprintf(stderr, "pcnet: truncates rx packet.\n");
  28 +#endif
  29 +                    size = 4092;
  30 +                }
  31                  memcpy(src, buf, size);
  32                  /* no need to compute the CRC */
  33                  src[size] = 0;
  34 --
  35 2.1.4
  36