e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
authorP J P <pjp@fedoraproject.org>
Fri, 4 Sep 2015 16:21:06 +0000 (17:21 +0100)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Mon, 21 Sep 2015 22:04:05 +0000 (17:04 -0500)
commit3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b
treed3479139b6a12dd7533a2c00a2dfdebf76ac6b1d
parentefec4dcd2552e85ed57f276b58f09fc385727450
e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
hw/net/e1000.c