[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 c
|
From: |
Aurelien Jarno |
|
Subject: |
[Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 card |
|
Date: |
Sat, 23 Jun 2007 00:55:13 +0200 |
|
User-agent: |
Mutt/1.5.13 (2006-08-11) |
>From Debian Security Announce:
CVE-2007-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket
code perform insufficient input validation, which might allow the
execution of arbitrary code through a heap overflow.
The patch below is the patch used by the Debian package to fix this.
Index: hw/ne2000.c
===================================================================
--- hw/ne2000.c.orig 2007-05-16 06:42:14.000000000 +0300
+++ hw/ne2000.c 2007-05-16 06:42:15.000000000 +0300
@@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque,
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque,
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ /* taviso: this can wrap, so check its okay. */
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' address@hidden | address@hidden
`- people.debian.org/~aurel32 | www.aurel32.net
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [PATCH, Security] insufficient input validation in NE2000 card,
Aurelien Jarno <=