net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. While receiving packets via ne2000_receive() routine, a local 'index' variable could exceed the ring buffer size, leading to an infinite loop situation. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: P J P <pjp@fedoraproject.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
parent
9bbdbc66e5
commit
737d2b3c41
@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
if (index <= s->stop)
|
||||
avail = s->stop - index;
|
||||
else
|
||||
avail = 0;
|
||||
break;
|
||||
len = size;
|
||||
if (len > avail)
|
||||
len = avail;
|
||||
|
Loading…
Reference in New Issue
Block a user