debian/patches/old/CVE-2015-8701-net-rocker-off-by-one.patch

   1 From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Mon, 28 Dec 2015 16:24:08 +0530
   4 Subject: [PATCH] net: rocker: fix an incorrect array bounds check
   5
   6 While processing transmit(tx) descriptors in 'tx_consume' routine
   7 the switch emulator suffers from an off-by-one error, if a
   8 descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
   9 fragments. Fix an incorrect bounds check to avoid it.
  10
  11 Reported-by: Qinghao Tang <luodalongde@gmail.com>
  12 Cc: qemu-stable@nongnu.org
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 Signed-off-by: Jason Wang <jasowang@redhat.com>
  15 ---
  16  hw/net/rocker/rocker.c | 8 ++++----
  17  1 file changed, 4 insertions(+), 4 deletions(-)
  18
  19 diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
  20 index c57f1a6..2e77e50 100644
  21 --- a/hw/net/rocker/rocker.c
  22 +++ b/hw/net/rocker/rocker.c
  23 @@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
  24          frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
  25          frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
  26
  27 +        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
  28 +            goto err_too_many_frags;
  29 +        }
  30          iov[iovcnt].iov_len = frag_len;
  31          iov[iovcnt].iov_base = g_malloc(frag_len);
  32          if (!iov[iovcnt].iov_base) {
  33 @@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
  34              err = -ROCKER_ENXIO;
  35              goto err_bad_io;
  36          }
  37 -
  38 -        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
  39 -            goto err_too_many_frags;
  40 -        }
  41 +        iovcnt++;
  42      }
  43
  44      if (iovcnt) {
  45 --
  46 2.1.4
  47