net: avoid infinite loop when receiving packets(CVE-2015-5278) Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: P J P <pjp@fedoraproject.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

commit: 5a1ccdfe44946e726b4c6fda8a4493b3931a68c1 [log] [tgz]
author: P J P <pjp@fedoraproject.org> Tue Sep 15 16:46:59 2015 +0530
committer: Michael Roth <mdroth@linux.vnet.ibm.com> Mon Sep 21 17:04:22 2015 -0500
tree: 014d80860fcfad2a55a71b72b985ac90f1944b98
parent: 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 [diff]
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 9278571..2bdb4c9 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c

@@ -256,7 +256,7 @@
         if (index <= s->stop)
             avail = s->stop - index;
         else
-            avail = 0;
+            break;
         len = size;
         if (len > avail)
             len = avail;
commit	5a1ccdfe44946e726b4c6fda8a4493b3931a68c1	[log] [tgz]
author	P J P <pjp@fedoraproject.org>	Tue Sep 15 16:46:59 2015 +0530
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	Mon Sep 21 17:04:22 2015 -0500
tree	014d80860fcfad2a55a71b72b985ac90f1944b98
parent	7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 [diff]