[pve-qemu-kvm.git] / debian / patches / CVE-2015-8701-net-rocker-off-by-one.patch

From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 28 Dec 2015 16:24:08 +0530
Subject: [PATCH] net: rocker: fix an incorrect array bounds check

While processing transmit(tx) descriptors in 'tx_consume' routine
the switch emulator suffers from an off-by-one error, if a
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
fragments. Fix an incorrect bounds check to avoid it.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/rocker/rocker.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index c57f1a6..2e77e50 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
         frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
         frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
 
+        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
+            goto err_too_many_frags;
+        }
         iov[iovcnt].iov_len = frag_len;
         iov[iovcnt].iov_base = g_malloc(frag_len);
         if (!iov[iovcnt].iov_base) {
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
             err = -ROCKER_ENXIO;
             goto err_bad_io;
         }
-
-        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
-            goto err_too_many_frags;
-        }
+        iovcnt++;
     }
 
     if (iovcnt) {
-- 
2.1.4
Commit	Line	Data
1c771352 WB	1	From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Mon, 28 Dec 2015 16:24:08 +0530
	4	Subject: [PATCH] net: rocker: fix an incorrect array bounds check
	5
	6	While processing transmit(tx) descriptors in 'tx_consume' routine
	7	the switch emulator suffers from an off-by-one error, if a
	8	descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
	9	fragments. Fix an incorrect bounds check to avoid it.
	10
	11	Reported-by: Qinghao Tang <luodalongde@gmail.com>
	12	Cc: qemu-stable@nongnu.org
	13	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	14	Signed-off-by: Jason Wang <jasowang@redhat.com>
	15	---
	16	hw/net/rocker/rocker.c \| 8 ++++----
	17	1 file changed, 4 insertions(+), 4 deletions(-)
	18
	19	diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
	20	index c57f1a6..2e77e50 100644
	21	--- a/hw/net/rocker/rocker.c
	22	+++ b/hw/net/rocker/rocker.c
	23	@@ -232,6 +232,9 @@ static int tx_consume(Rocker r, DescInfo info)
	24	frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
	25	frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
	26
	27	+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
	28	+ goto err_too_many_frags;
	29	+ }
	30	iov[iovcnt].iov_len = frag_len;
	31	iov[iovcnt].iov_base = g_malloc(frag_len);
	32	if (!iov[iovcnt].iov_base) {
	33	@@ -244,10 +247,7 @@ static int tx_consume(Rocker r, DescInfo info)
	34	err = -ROCKER_ENXIO;
	35	goto err_bad_io;
	36	}
	37	-
	38	- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
	39	- goto err_too_many_frags;
	40	- }
	41	+ iovcnt++;
	42	}
	43
	44	if (iovcnt) {
	45	--
	46	2.1.4
	47