diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch')
| -rw-r--r-- | app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch deleted file mode 100644 index 666c18cc..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch +++ /dev/null @@ -1,112 +0,0 @@ -This patch fixed a problem that was introduced in commit eb700029. - -When net_rx_pkt_attach_iovec() calls eth_strip_vlan() -this can result in pkt->ehdr_buf being overflowed, because -ehdr_buf is only sizeof(struct eth_header) bytes large -but eth_strip_vlan() can write -sizeof(struct eth_header) + sizeof(struct vlan_header) -bytes into it. - -Devices affected by this problem: vmxnet3. - -Reported-by: Peter Maydell <address@hidden> -Signed-off-by: Dmitry Fleytman <address@hidden> ---- - hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index 1019b50..7c0beac 100644 ---- a/hw/net/net_rx_pkt.c -+++ b/hw/net/net_rx_pkt.c -@@ -23,13 +23,13 @@ - - struct NetRxPkt { - struct virtio_net_hdr virt_hdr; -- uint8_t ehdr_buf[sizeof(struct eth_header)]; -+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; - struct iovec *vec; - uint16_t vec_len_total; - uint16_t vec_len; - uint32_t tot_len; - uint16_t tci; -- bool vlan_stripped; -+ size_t ehdr_buf_len; - bool has_virt_hdr; - eth_pkt_types_e packet_type; - -@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, - const struct iovec *iov, int iovcnt, - size_t ploff) - { -- if (pkt->vlan_stripped) { -+ if (pkt->ehdr_buf_len) { - net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); - - pkt->vec[0].iov_base = pkt->ehdr_buf; -- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); -- -- pkt->tot_len = -- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); -+ pkt->vec[0].iov_len = pkt->ehdr_buf_len; - -+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; - pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, - iov, iovcnt, ploff, pkt->tot_len); - } else { -@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -- pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -+ pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) - NetRxPkt *pkt = (NetRxPkt *)pkt; - assert(pkt); - -- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", -- pkt->tot_len, pkt->vlan_stripped, pkt->tci); -+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", -+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); - #endif - } - -@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) - { - assert(pkt); - -- return pkt->vlan_stripped; -+ return pkt->ehdr_buf_len ? true : false; - } - - bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) --- -2.7.4 |