debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch

   1 From 53102ff7c9c928e2c778a6440f7039ee29dc5acf Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Thu, 22 Sep 2016 16:01:38 +0530
   4 Subject: [PATCH 3/5] net: imx: limit buffer descriptor count
   5
   6 i.MX Fast Ethernet Controller uses buffer descriptors to manage
   7 data flow to/fro receive & transmit queues. While transmitting
   8 packets, it could continue to read buffer descriptors if a buffer
   9 descriptor has length of zero and has crafted values in bd.flags.
  10 Set an upper limit to number of buffer descriptors.
  11
  12 Reported-by: Li Qiang <liqiang6-s@360.cn>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 ---
  15  hw/net/imx_fec.c | 6 ++++--
  16  1 file changed, 4 insertions(+), 2 deletions(-)
  17
  18 diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
  19 index e60e338..547fa99 100644
  20 --- a/hw/net/imx_fec.c
  21 +++ b/hw/net/imx_fec.c
  22 @@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = {
  23  #define PHY_INT_PARFAULT            (1 << 2)
  24  #define PHY_INT_AUTONEG_PAGE        (1 << 1)
  25
  26 +#define IMX_MAX_DESC                1024
  27 +
  28  static void imx_fec_update(IMXFECState *s);
  29
  30  /*
  31 @@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s)
  32
  33  static void imx_fec_do_tx(IMXFECState *s)
  34  {
  35 -    int frame_size = 0;
  36 +    int frame_size = 0, descnt = 0;
  37      uint8_t frame[FEC_MAX_FRAME_SIZE];
  38      uint8_t *ptr = frame;
  39      uint32_t addr = s->tx_descriptor;
  40
  41 -    while (1) {
  42 +    while (descnt++ < IMX_MAX_DESC) {
  43          IMXFECBufDesc bd;
  44          int len;
  45
  46 --
  47 2.1.4
  48