debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch

   1 From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Tue, 29 Nov 2016 00:38:39 +0530
   4 Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
   5
   6 ColdFire Fast Ethernet Controller uses a receive buffer size
   7 register(EMRBR) to hold maximum size of all receive buffers.
   8 It is set by a user before any operation. If it was set to be
   9 zero, ColdFire emulator would go into an infinite loop while
  10 receiving data in mcf_fec_receive. Add check to avoid it.
  11
  12 Reported-by: Wjjzhang <wjjzhang@tencent.com>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 Signed-off-by: Jason Wang <jasowang@redhat.com>
  15 ---
  16  hw/net/mcf_fec.c | 2 +-
  17  1 file changed, 1 insertion(+), 1 deletion(-)
  18
  19 diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
  20 index d31fea1..3d4b3b3 100644
  21 --- a/hw/net/mcf_fec.c
  22 +++ b/hw/net/mcf_fec.c
  23 @@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
  24          s->tx_descriptor = s->etdsr;
  25          break;
  26      case 0x188:
  27 -        s->emrbr = value & 0x7f0;
  28 +        s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
  29          break;
  30      default:
  31          hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
  32 --
  33 2.1.4
  34