blob: cdffc685634e9fec5d7157c070464a6bbd17fea8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
$NetBSD: patch-CVE-2016-7907,v 1.1 2016/10/30 14:48:00 spz Exp $
from:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
From: Prasad J Pandit <address@hidden>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <address@hidden>
--- hw/net/imx_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
+++ hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;
|
