[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch

From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count

ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/mcf_fec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
 #define DPRINTF(fmt, ...) do {} while(0)
 #endif
 
+#define FEC_MAX_DESC 1024
 #define FEC_MAX_FRAME_SIZE 2032
 
 typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
     uint32_t addr;
     mcf_fec_bd bd;
     int frame_size;
-    int len;
+    int len, descnt = 0;
     uint8_t frame[FEC_MAX_FRAME_SIZE];
     uint8_t *ptr;
 
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
     ptr = frame;
     frame_size = 0;
     addr = s->tx_descriptor;
-    while (1) {
+    while (descnt++ < FEC_MAX_DESC) {
         mcf_fec_read_bd(&bd, addr);
         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
                 addr, bd.flags, bd.length, bd.data);
-- 
2.1.4
Commit	Line	Data
68a30562	1	From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
d37e80a3 WB	2	From: Prasad J Pandit <pjp@fedoraproject.org>
d37e80a3 WB	3	Date: Thu, 22 Sep 2016 16:02:37 +0530
68a30562	4	Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count
d37e80a3 WB	5
	6	ColdFire Fast Ethernet Controller uses buffer descriptors to manage
	7	data flow to/fro receive & transmit queues. While transmitting
	8	packets, it could continue to read buffer descriptors if a buffer
	9	descriptor has length of zero and has crafted values in bd.flags.
	10	Set upper limit to number of buffer descriptors.
	11
	12	Reported-by: Li Qiang <liqiang6-s@360.cn>
	13	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	14	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
	15	Signed-off-by: Jason Wang <jasowang@redhat.com>
	16	---
	17	hw/net/mcf_fec.c \| 5 +++--
	18	1 file changed, 3 insertions(+), 2 deletions(-)
	19
	20	diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
68a30562	21	index 0ee8ad9..d31fea1 100644
d37e80a3 WB	22	--- a/hw/net/mcf_fec.c
	23	+++ b/hw/net/mcf_fec.c
	24	@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
	25	#define DPRINTF(fmt, ...) do {} while(0)
	26	#endif
	27
	28	+#define FEC_MAX_DESC 1024
	29	#define FEC_MAX_FRAME_SIZE 2032
	30
	31	typedef struct {
	32	@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
	33	uint32_t addr;
	34	mcf_fec_bd bd;
	35	int frame_size;
	36	- int len;
	37	+ int len, descnt = 0;
	38	uint8_t frame[FEC_MAX_FRAME_SIZE];
	39	uint8_t *ptr;
	40
	41	@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
	42	ptr = frame;
	43	frame_size = 0;
	44	addr = s->tx_descriptor;
	45	- while (1) {
	46	+ while (descnt++ < FEC_MAX_DESC) {
	47	mcf_fec_read_bd(&bd, addr);
	48	DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
	49	addr, bd.flags, bd.length, bd.data);
	50	--
	51	2.1.4
	52