net: avoid infinite loop when receiving packets(CVE-2015-5278)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: P J P <pjp@fedoraproject.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
author: P J P <pjp@fedoraproject.org> 2015-09-15 16:46:59 +0530
committer: Stefan Hajnoczi <stefanha@redhat.com> 2015-09-15 12:51:14 +0100
commit: 737d2b3c41d59eb8f94ab7eb419b957938f24943 (patch)
tree: de751aa25c0ae9b3ddc10e5f142c3e703a4d991b
parent: 9bbdbc66e5765068dce76e9269dce4547afd8ad4 (diff)
download: hqemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.zip
hqemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 3798a3b..010f9ef 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;
author	P J P <pjp@fedoraproject.org>	2015-09-15 16:46:59 +0530
committer	Stefan Hajnoczi <stefanha@redhat.com>	2015-09-15 12:51:14 +0100
commit	737d2b3c41d59eb8f94ab7eb419b957938f24943 (patch)
tree	de751aa25c0ae9b3ddc10e5f142c3e703a4d991b
parent	9bbdbc66e5765068dce76e9269dce4547afd8ad4 (diff)
download	hqemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.zip hqemu-737d2b3c41d59eb8f94ab7eb419b957938f24943.tar.gz