]>
Commit | Line | Data |
---|---|---|
4fe6440d JR |
1 | From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001 |
2 | From: Ian Campbell <Ian.Campbell@citrix.com> | |
3 | Date: Thu, 2 Feb 2012 13:47:06 +0000 | |
4 | Subject: [PATCH] e1000: bounds packet size against buffer size | |
5 | ||
6 | Otherwise we can write beyond the buffer and corrupt memory. This is tracked | |
7 | as CVE-2012-0029. | |
8 | ||
9 | Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> | |
10 | ||
11 | (Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840 | |
12 | by Ian Campbell.) | |
13 | ||
14 | Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com> | |
15 | (cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8) | |
16 | --- | |
17 | hw/e1000.c | 3 +++ | |
18 | 1 files changed, 3 insertions(+), 0 deletions(-) | |
19 | ||
20 | diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c | |
21 | index bb3689e..97104ed 100644 | |
22 | --- a/tools/ioemu-qemu-xen/hw/e1000.c | |
23 | +++ b/tools/ioemu-qemu-xen/hw/e1000.c | |
24 | @@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | |
25 | bytes = split_size; | |
26 | if (tp->size + bytes > msh) | |
27 | bytes = msh - tp->size; | |
28 | + | |
29 | + bytes = MIN(sizeof(tp->data) - tp->size, bytes); | |
30 | cpu_physical_memory_read(addr, tp->data + tp->size, bytes); | |
31 | if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) | |
32 | memmove(tp->header, tp->data, hdr); | |
33 | @@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | |
34 | // context descriptor TSE is not set, while data descriptor TSE is set | |
35 | DBGOUT(TXERR, "TCP segmentaion Error\n"); | |
36 | } else { | |
37 | + split_size = MIN(sizeof(tp->data) - tp->size, split_size); | |
38 | cpu_physical_memory_read(addr, tp->data + tp->size, split_size); | |
39 | tp->size += split_size; | |
40 | } | |
41 | -- | |
42 | 1.7.2.5 | |
43 |