Blame qemu.trad.CVE-2016-9776.patch
|
|
bc04edf |
From 77d54985b85a0cb760330ec2bd92505e0a2a97a9 Mon Sep 17 00:00:00 2001
|
|
|
bc04edf |
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
bc04edf |
Date: Tue, 29 Nov 2016 00:38:39 +0530
|
|
|
bc04edf |
Subject: [PATCH] net: mcf: check receive buffer size register value
|
|
|
bc04edf |
|
|
|
bc04edf |
ColdFire Fast Ethernet Controller uses a receive buffer size
|
|
|
bc04edf |
register(EMRBR) to hold maximum size of all receive buffers.
|
|
|
bc04edf |
It is set by a user before any operation. If it was set to be
|
|
|
bc04edf |
zero, ColdFire emulator would go into an infinite loop while
|
|
|
bc04edf |
receiving data in mcf_fec_receive. Add check to avoid it.
|
|
|
bc04edf |
|
|
|
bc04edf |
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
|
|
bc04edf |
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
bc04edf |
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
bc04edf |
---
|
|
|
bc04edf |
hw/net/mcf_fec.c | 2 +-
|
|
|
bc04edf |
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
|
bc04edf |
|
|
|
bc04edf |
diff --git a/hw/mcf_fec.c b/hw/mcf_fec.c
|
|
|
bc04edf |
index dc61bac..4025eb3 100644
|
|
|
bc04edf |
--- a/hw/mcf_fec.c
|
|
|
bc04edf |
+++ b/hw/mcf_fec.c
|
|
|
bc04edf |
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
|
|
|
bc04edf |
s->tx_descriptor = s->etdsr;
|
|
|
bc04edf |
break;
|
|
|
bc04edf |
case 0x188:
|
|
|
bc04edf |
- s->emrbr = value & 0x7f0;
|
|
|
bc04edf |
+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
|
|
|
bc04edf |
break;
|
|
|
bc04edf |
default:
|
|
|
bc04edf |
cpu_abort(cpu_single_env, "mcf_fec_write Bad address 0x%x\n",
|
|
|
bc04edf |
--
|
|
|
bc04edf |
1.7.0.4
|
|
|
bc04edf |
|