debian/patches/CVE-2015-7512-pcnet-rx-buffer-overflow.patch

   1 From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001
   2 From: Jason Wang <jasowang@redhat.com>
   3 Date: Mon, 30 Nov 2015 15:00:06 +0800
   4 Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
   5
   6 Backends could provide a packet whose length is greater than buffer
   7 size. Check for this and truncate the packet to avoid rx buffer
   8 overflow in this case.
   9
  10 Cc: Prasad J Pandit <pjp@fedoraproject.org>
  11 Cc: qemu-stable@nongnu.org
  12 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
  13 Signed-off-by: Jason Wang <jasowang@redhat.com>
  14 ---
  15  hw/net/pcnet.c | 6 ++++++
  16  1 file changed, 6 insertions(+)
  17
  18 diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
  19 index 309c40b..1f4a3db 100644
  20 --- a/hw/net/pcnet.c
  21 +++ b/hw/net/pcnet.c
  22 @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
  23              int pktcount = 0;
  24
  25              if (!s->looptest) {
  26 +                if (size > 4092) {
  27 +#ifdef PCNET_DEBUG_RMD
  28 +                    fprintf(stderr, "pcnet: truncates rx packet.\n");
  29 +#endif
  30 +                    size = 4092;
  31 +                }
  32                  memcpy(src, buf, size);
  33                  /* no need to compute the CRC */
  34                  src[size] = 0;
  35 --
  36 2.1.4
  37