fd9a5b0fc3
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file. * gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch, gnu/packages/patches/qemu-CVE-2015-8558.patch, gnu/packages/patches/qemu-CVE-2015-8567.patch, gnu/packages/patches/qemu-CVE-2015-8613.patch, gnu/packages/patches/qemu-CVE-2015-8701.patch, gnu/packages/patches/qemu-CVE-2015-8743.patch, gnu/packages/patches/qemu-CVE-2016-1568.patch, gnu/packages/patches/qemu-CVE-2016-1922.patch: New files. * gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the new patches. * gnu/packages/qemu.scm (qemu): Update to 2.5.0. [source]: Remove old patches and add new ones. [arguments]: Add 'disable-test-qga' phase. (%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Mon, 28 Dec 2015 16:24:08 +0530
|
|
Subject: [PATCH] net: rocker: fix an incorrect array bounds check
|
|
|
|
While processing transmit(tx) descriptors in 'tx_consume' routine
|
|
the switch emulator suffers from an off-by-one error, if a
|
|
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
|
|
fragments. Fix an incorrect bounds check to avoid it.
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
---
|
|
hw/net/rocker/rocker.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
|
index c57f1a6..2e77e50 100644
|
|
--- a/hw/net/rocker/rocker.c
|
|
+++ b/hw/net/rocker/rocker.c
|
|
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
|
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
|
|
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
|
|
|
|
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
|
+ goto err_too_many_frags;
|
|
+ }
|
|
iov[iovcnt].iov_len = frag_len;
|
|
iov[iovcnt].iov_base = g_malloc(frag_len);
|
|
if (!iov[iovcnt].iov_base) {
|
|
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
|
err = -ROCKER_ENXIO;
|
|
goto err_bad_io;
|
|
}
|
|
-
|
|
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
|
|
- goto err_too_many_frags;
|
|
- }
|
|
+ iovcnt++;
|
|
}
|
|
|
|
if (iovcnt) {
|
|
--
|
|
2.6.3
|
|
|