| commit | 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Fri, 20 Nov 2015 06:20:31 +0000 (20 11:50 +0530) | ||
| committer | Jason Wang <jasowang@redhat.com> | |
| Mon, 7 Dec 2015 13:43:48 +0000 (7 21:43 +0800) | ||
| tree | 62f3850f076bb0ba98ffb6594abeb4d30122f415 | treesnapshot (tar.gz zip) |
| parent | 9596ef7c7b8528bedb240792ea1fb598543ad3c4 | commitdiff |
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Reported by: Qinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Reported by: Qinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| hw/net/pcnet.c | diffblobblamehistory |