+++ /dev/null
-From 59fb70f22143eccdf74639871e862df0c2f570fc Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Mon, 30 Nov 2015 15:38:23 +0800
-Subject: [PATCH 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
-
-Backends could provide a packet whose length is greater than buffer
-size. Check for this and truncate the packet to avoid rx buffer
-overflow in this case.
-
-Cc: Prasad J Pandit <pjp@fedoraproject.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/pcnet.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index 309c40b..1f4a3db 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- int pktcount = 0;
-
- if (!s->looptest) {
-+ if (size > 4092) {
-+#ifdef PCNET_DEBUG_RMD
-+ fprintf(stderr, "pcnet: truncates rx packet.\n");
-+#endif
-+ size = 4092;
-+ }
- memcpy(src, buf, size);
- /* no need to compute the CRC */
- src[size] = 0;
---
-2.1.4
-