update to qemu-2.9.0-rc2

[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch

diff --git a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
deleted file mode 100644 (file)
index 1c14d8c..0000000
--- a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
-From: chaojianhu <chaojianhu@hotmail.com>
-Date: Tue, 9 Aug 2016 11:52:54 +0800
-Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
-
-The .receive callback of xlnx.xps-ethernetlite doesn't check the length
-of data before calling memcpy. As a result, the NetClientState object in
-heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
-will be affected.
-
-Reported-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/xilinx_ethlite.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
-index bc846e7..12b7419 100644
---- a/hw/net/xilinx_ethlite.c
-+++ b/hw/net/xilinx_ethlite.c
-@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
-     }
- 
-     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
-+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
-+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
-+        return -1;
-+    }
-     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
- 
-     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
--- 
-2.1.4
-