qemu-irix/hw/net
P J P 5a1ccdfe44 net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 737d2b3c41)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-09-21 17:04:22 -05:00
..
fsl_etsec etsec: Flush queue when rx buffer is consumed 2015-07-27 14:12:18 +01:00
rocker rocker: mark copy-to-cpu pkts as forwarding offloaded 2015-07-07 13:13:22 +01:00
Makefile.objs qmp/hmp: add rocker device support 2015-06-12 13:42:17 +01:00
allwinner_emac.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
cadence_gem.c cadence_gem: Fix Rx buffer size field mask 2015-06-03 16:03:03 +03:00
dp8393x.c net/dp8393x: do not use memory_region_init_rom_device with NULL 2015-07-28 09:30:10 +01:00
e1000.c e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) 2015-09-21 17:04:05 -05:00
e1000_regs.h
eepro100.c eepro100: Drop nic_can_receive 2015-07-27 14:12:18 +01:00
etraxfs_eth.c etraxfs_eth: Drop eth_can_receive 2015-07-20 17:47:24 +01:00
lan9118.c lan9118: Drop lan9118_can_receive 2015-07-20 17:47:24 +01:00
lance.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
mcf_fec.c hw/net: handle flow control in mcf_fec driver receiver 2015-07-28 11:27:53 +01:00
milkymist-minimac2.c milkymist-minimac2: Flush queued packets when link comes up 2015-07-27 14:12:18 +01:00
mipsnet.c mipsnet: Flush queued packets when receiving is enabled 2015-07-27 14:12:18 +01:00
ne2000-isa.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
ne2000.c net: avoid infinite loop when receiving packets(CVE-2015-5278) 2015-09-21 17:04:22 -05:00
ne2000.h
opencores_eth.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
pcnet-pci.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
pcnet.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
pcnet.h pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
rtl8139.c rtl8139: check TCP Data Offset field (CVE-2015-5165) 2015-08-03 13:08:10 +01:00
smc91c111.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
spapr_llan.c spapr: Merge sPAPREnvironment into sPAPRMachineState 2015-07-07 17:44:50 +02:00
stellaris_enet.c stellaris_enet: Flush queued packets when read done 2015-07-27 14:12:18 +01:00
vhost_net.c Revert "vhost-user: add multi queue support" 2015-07-20 14:19:40 +03:00
virtio-net.c virtio: get_features() can fail 2015-07-27 18:11:53 +03:00
vmware_utils.h
vmxnet3.c net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets 2015-07-20 17:39:05 +01:00
vmxnet3.h
vmxnet_debug.h
vmxnet_rx_pkt.c net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_rx_pkt.h net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_tx_pkt.c
vmxnet_tx_pkt.h
xen_nic.c xen: Drop net_rx_ok 2015-07-28 11:35:54 +01:00
xgmac.c xgmac: Drop packets with eth_can_rx is false. 2015-07-27 14:12:18 +01:00
xilinx_axienet.c axienet: Flush queued packets when rx is done 2015-07-27 14:12:18 +01:00
xilinx_ethlite.c xilinx_ethlite: Clean up after commit 2f991ad 2015-03-10 08:15:33 +03:00