[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch

From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 29 Nov 2016 00:38:39 +0530
Subject: [PATCH 01/12] net: mcf: check receive buffer size register value

ColdFire Fast Ethernet Controller uses a receive buffer size
register(EMRBR) to hold maximum size of all receive buffers.
It is set by a user before any operation. If it was set to be
zero, ColdFire emulator would go into an infinite loop while
receiving data in mcf_fec_receive. Add check to avoid it.

Reported-by: Wjjzhang <wjjzhang@tencent.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/mcf_fec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index d31fea1..3d4b3b3 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
         s->tx_descriptor = s->etdsr;
         break;
     case 0x188:
-        s->emrbr = value & 0x7f0;
+        s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
         break;
     default:
         hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
-- 
2.1.4
Commit	Line	Data
f262231e WB	1	From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 29 Nov 2016 00:38:39 +0530
	4	Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
	5
	6	ColdFire Fast Ethernet Controller uses a receive buffer size
	7	register(EMRBR) to hold maximum size of all receive buffers.
	8	It is set by a user before any operation. If it was set to be
	9	zero, ColdFire emulator would go into an infinite loop while
	10	receiving data in mcf_fec_receive. Add check to avoid it.
	11
	12	Reported-by: Wjjzhang <wjjzhang@tencent.com>
	13	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	14	Signed-off-by: Jason Wang <jasowang@redhat.com>
	15	---
	16	hw/net/mcf_fec.c \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
	20	index d31fea1..3d4b3b3 100644
	21	--- a/hw/net/mcf_fec.c
	22	+++ b/hw/net/mcf_fec.c
	23	@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
	24	s->tx_descriptor = s->etdsr;
	25	break;
	26	case 0x188:
	27	- s->emrbr = value & 0x7f0;
	28	+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
	29	break;
	30	default:
	31	hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
	32	--
	33	2.1.4
	34