Google Git
Sign in
qemu-android / qemu-android / 9f7c594c006289ad41169b854d70f5da6e400a2a
commit9f7c594c006289ad41169b854d70f5da6e400a2a[log] [tgz]
authorPetr Matousek <pmatouse@redhat.com>Sun May 24 10:53:44 2015 +0200
committerStefan Hajnoczi <stefanha@redhat.com>Wed Jun 10 15:03:02 2015 +0100
treec0ec35dc415f0ae1f0306b1dbc21b0d8668ba849
parentb0411142f482df92717f8b4a3b746081a62b724f [diff]
pcnet: force the buffer access to be in bounds during tx

4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
1 file changed
tree: c0ec35dc415f0ae1f0306b1dbc21b0d8668ba849
  1. audio/
  2. backends/
  3. block/
  4. bsd-user/
  5. default-configs/
  6. disas/
  7. docs/
  8. fpu/
  9. fsdev/
  10. gdb-xml/
  11. hw/
  12. include/
  13. libcacard/
  14. libdecnumber/
  15. linux-headers/
  16. linux-user/
  17. migration/
  18. net/
  19. pc-bios/
  20. po/
  21. qapi/
  22. qga/
  23. qobject/
  24. qom/
  25. roms/
  26. scripts/
  27. slirp/
  28. stubs/
  29. target-alpha/
  30. target-arm/
  31. target-cris/
  32. target-i386/
  33. target-lm32/
  34. target-m68k/
  35. target-microblaze/
  36. target-mips/
  37. target-moxie/
  38. target-openrisc/
  39. target-ppc/
  40. target-s390x/
  41. target-sh4/
  42. target-sparc/
  43. target-tricore/
  44. target-unicore32/
  45. target-xtensa/
  46. tcg/
  47. tests/
  48. trace/
  49. ui/
  50. util/
  51. dtc
  52. pixman
  53. .exrc
  54. .gitignore
  55. .gitmodules
  56. .mailmap
  57. .travis.yml
  58. accel.c
  59. aio-posix.c
  60. aio-win32.c
  61. arch_init.c
  62. async.c
  63. balloon.c
  64. block.c
  65. blockdev-nbd.c
  66. blockdev.c
  67. blockjob.c
  68. bootdevice.c
  69. bt-host.c
  70. bt-vhci.c
  71. Changelog
  72. CODING_STYLE
  73. configure
  74. COPYING
  75. COPYING.LIB
  76. coroutine-gthread.c
  77. coroutine-sigaltstack.c
  78. coroutine-ucontext.c
  79. coroutine-win32.c
  80. cpu-exec.c
  81. cpus.c
  82. cputlb.c
  83. device-hotplug.c
  84. device_tree.c
  85. disas.c
  86. dma-helpers.c
  87. dump.c
  88. exec.c
  89. gdbstub.c
  90. HACKING
  91. hmp-commands.hx
  92. hmp.c
  93. hmp.h
  94. iohandler.c
  95. ioport.c
  96. iothread.c
  97. kvm-all.c
  98. kvm-stub.c
  99. LICENSE
  100. main-loop.c
  101. MAINTAINERS
  102. Makefile
  103. Makefile.objs
  104. Makefile.target
  105. memory.c
  106. memory_mapping.c
  107. module-common.c
  108. monitor.c
  109. nbd.c
  110. numa.c
  111. os-posix.c
  112. os-win32.c
  113. page_cache.c
  114. qapi-schema.json
  115. qdev-monitor.c
  116. qdict-test-data.txt
  117. qemu-bridge-helper.c
  118. qemu-char.c
  119. qemu-coroutine-io.c
  120. qemu-coroutine-lock.c
  121. qemu-coroutine-sleep.c
  122. qemu-coroutine.c
  123. qemu-doc.texi
  124. qemu-img-cmds.hx
  125. qemu-img.c
  126. qemu-img.texi
  127. qemu-io-cmds.c
  128. qemu-io.c
  129. qemu-log.c
  130. qemu-nbd.c
  131. qemu-nbd.texi
  132. qemu-options-wrapper.h
  133. qemu-options.h
  134. qemu-options.hx
  135. qemu-seccomp.c
  136. qemu-tech.texi
  137. qemu-timer.c
  138. qemu.nsi
  139. qemu.sasl
  140. qjson.c
  141. qmp-commands.hx
  142. qmp.c
  143. qtest.c
  144. README
  145. rules.mak
  146. savevm.c
  147. softmmu_template.h
  148. spice-qemu-char.c
  149. tcg-runtime.c
  150. tci.c
  151. thread-pool.c
  152. thunk.c
  153. tpm.c
  154. trace-events
  155. translate-all.c
  156. translate-all.h
  157. user-exec.c
  158. VERSION
  159. version.rc
  160. vl.c
  161. xen-common-stub.c
  162. xen-common.c
  163. xen-hvm-stub.c
  164. xen-hvm.c
  165. xen-mapcache.c