[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
From: |
Michael Tokarev |
Subject: |
Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size |
Date: |
Thu, 02 Feb 2012 19:24:25 +0400 |
User-agent: |
Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20110805 Icedove/5.0 |
On 02.02.2012 15:15, Stefano Stabellini wrote:
> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>> Otherwise we can write beyond the buffer and corrupt memory. This is tracked
>> as CVE-2012-0029.
>
> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
> backported?
This goes on since forever - for example, this patch applies to 0.12
too (modulo pci_dma_read() changes which makes the context differ).
It applies cleanly to 1.0 stable.
/mjt
>> Signed-off-by: Anthony Liguori <address@hidden>
>> ---
>> hw/e1000.c | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/hw/e1000.c b/hw/e1000.c
>> index a29c944..86c5416 100644
>> --- a/hw/e1000.c
>> +++ b/hw/e1000.c
>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>> bytes = split_size;
>> if (tp->size + bytes > msh)
>> bytes = msh - tp->size;
>> +
>> + bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>> pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>> if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
>> memmove(tp->header, tp->data, hdr);
>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>> // context descriptor TSE is not set, while data descriptor TSE is
>> set
>> DBGOUT(TXERR, "TCP segmentaion Error\n");
>> } else {
>> + split_size = MIN(sizeof(tp->data) - tp->size, split_size);
>> pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
>> tp->size += split_size;
>> }
>> --
>> 1.7.4.1
>>
>>
>