e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

While processing transmit descriptors, it could lead to an infinite loop if 'bytes' was to become zero; Add a check to avoid it. [The guest can force 'bytes' to 0 by setting the hdr_len and mss descriptor fields to 0. --Stefan] Signed-off-by: N P J P <pjp@fedoraproject.org> Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: N Thomas Huth <thuth@redhat.com> Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com

e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
While processing transmit descriptors, it could lead to an infinite loop if 'bytes' was to become zero; Add a check to avoid it. [The guest can force 'bytes' to 0 by setting the hdr_len and mss descriptor fields to 0. --Stefan] Signed-off-by: N P J P <pjp@fedoraproject.org> Signed-off-by: N Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: N Thomas Huth <thuth@redhat.com> Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
b947ac2b · P J P · Stefan Hajnoczi · 2752e5be · b947ac2b
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

hw/net/e1000.c hw/net/e1000.c +2 -1

未找到文件。
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
                memmove(tp->data, tp->header, tp->hdr_len);
                tp->size = tp->hdr_len;
            }
-        } while (split_size -= bytes);
+            split_size -= bytes;
+        } while (bytes && split_size);
    } else if (!tp->tse && tp->cptse) {
        // context descriptor TSE is not set, while data descriptor TSE is set
        DBGOUT(TXERR, "TCP segmentation error\n");