diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch new file mode 100644 index 0000000000..69c11e27d9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch @@ -0,0 +1,39 @@ +From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 7 Apr 2016 15:56:02 +0530 +Subject: [PATCH] net: mipsnet: check packet length against buffer + +When receiving packets over MIPSnet network device, it uses +receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f) +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2016-4002 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: qemu-2.4.0/hw/net/mipsnet.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/mipsnet.c ++++ qemu-2.4.0/hw/net/mipsnet.c +@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient + if (!mipsnet_can_receive(nc)) + return 0; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return 0; ++ } + s->busy = 1; + + /* Just accept everything. */ |