| commit | 3de46e6fc489c52c9431a8a832ad8170a7569bd8 | |
| author | Jason Wang <jasowang@redhat.com> | |
| Wed, 24 Feb 2021 05:45:28 +0000 (24 13:45 +0800) | ||
| committer | Jason Wang <jasowang@redhat.com> | |
| Mon, 15 Mar 2021 08:41:22 +0000 (15 16:41 +0800) | ||
| tree | 9b35439beacc4ffb61753a02a6a83ef1c62d046c | treesnapshot (tar.gz zip) |
| parent | e73b4317b7b7a9d67368387c2f4fbfba6c43e39f | commitdiff |
e1000: fail early for evil descriptor
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
| hw/net/e1000.c | diffblobblamehistory |