add the zeroinit block driver filter
[pve-qemu-kvm.git] / debian / patches / old / CVE-2015-8701-net-rocker-off-by-one.patch
blob7b17355cc004eb03b25680b05bac1dc55455777f
1 From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Mon, 28 Dec 2015 16:24:08 +0530
4 Subject: [PATCH] net: rocker: fix an incorrect array bounds check
6 While processing transmit(tx) descriptors in 'tx_consume' routine
7 the switch emulator suffers from an off-by-one error, if a
8 descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
9 fragments. Fix an incorrect bounds check to avoid it.
11 Reported-by: Qinghao Tang <luodalongde@gmail.com>
12 Cc: qemu-stable@nongnu.org
13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
14 Signed-off-by: Jason Wang <jasowang@redhat.com>
15 ---
16 hw/net/rocker/rocker.c | 8 ++++----
17 1 file changed, 4 insertions(+), 4 deletions(-)
19 diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
20 index c57f1a6..2e77e50 100644
21 --- a/hw/net/rocker/rocker.c
22 +++ b/hw/net/rocker/rocker.c
23 @@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
24 frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
25 frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
27 + if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
28 + goto err_too_many_frags;
29 + }
30 iov[iovcnt].iov_len = frag_len;
31 iov[iovcnt].iov_base = g_malloc(frag_len);
32 if (!iov[iovcnt].iov_base) {
33 @@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
34 err = -ROCKER_ENXIO;
35 goto err_bad_io;
38 - if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
39 - goto err_too_many_frags;
40 - }
41 + iovcnt++;
44 if (iovcnt) {
45 --
46 2.1.4