[pve-qemu-kvm.git] / debian / patches / 0001-net-pcnet-add-check-to-validate-receive-data-size-CV.patch

From 6314c83ae14ee32835668e38bb55f4b93b800736 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 30 Nov 2015 15:38:22 +0800
Subject: [PATCH 1/2] net: pcnet: add check to validate receive data
 size(CVE-2015-7504)

In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.

Reported by: Qinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/pcnet.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 0eb3cc4..309c40b 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
                 uint32_t fcs = ~0;
                 uint8_t *p = src;
 
-                while (p != &src[size-4])
+                while (p != &src[size])
                     CRC(fcs, *p++);
                 crc_err = (*(uint32_t *)p != htonl(fcs));
             }
@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
 
         /* if multi-tmd packet outsizes s->buffer then skip it silently.
-           Note: this is not what real hw does */
-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+         * Note: this is not what real hw does.
+         * Last four bytes of s->buffer are used to store CRC FCS code.
+         */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
             s->xmit_pos = -1;
             goto txdone;
         }
-- 
2.1.4
Commit	Line	Data
053c5c6c WB	1	From 6314c83ae14ee32835668e38bb55f4b93b800736 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Mon, 30 Nov 2015 15:38:22 +0800
	4	Subject: [PATCH 1/2] net: pcnet: add check to validate receive data
	5	size(CVE-2015-7504)
	6
	7	In loopback mode, pcnet_receive routine appends CRC code to the
	8	receive buffer. If the data size given is same as the buffer size,
	9	the appended CRC code overwrites 4 bytes after s->buffer. Added a
	10	check to avoid that.
	11
	12	Reported by: Qinghao Tang <luodalongde@gmail.com>
	13	Cc: qemu-stable@nongnu.org
	14	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	15	Signed-off-by: Jason Wang <jasowang@redhat.com>
	16	---
	17	hw/net/pcnet.c \| 8 +++++---
	18	1 file changed, 5 insertions(+), 3 deletions(-)
	19
	20	diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
	21	index 0eb3cc4..309c40b 100644
	22	--- a/hw/net/pcnet.c
	23	+++ b/hw/net/pcnet.c
	24	@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState nc, const uint8_t buf, size_t size_)
	25	uint32_t fcs = ~0;
	26	uint8_t *p = src;
	27
	28	- while (p != &src[size-4])
	29	+ while (p != &src[size])
	30	CRC(fcs, *p++);
	31	crc_err = ((uint32_t )p != htonl(fcs));
	32	}
	33	@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
	34	bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
	35
	36	/* if multi-tmd packet outsizes s->buffer then skip it silently.
	37	- Note: this is not what real hw does */
	38	- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
	39	+ * Note: this is not what real hw does.
	40	+ * Last four bytes of s->buffer are used to store CRC FCS code.
	41	+ */
	42	+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
	43	s->xmit_pos = -1;
	44	goto txdone;
	45	}
	46	--
	47	2.1.4
	48