From: P J P <pjp@fedoraproject.org>
Date: Tue, 15 Sep 2015 14:28:25 +0000 (+0000)
Subject: e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ea582e3a9e00ff0ab158f9b75df717cea0f5debb;p=qemu-upstream-4.3-testing.git

e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

upstream-commit-id: b947ac2bf26479e710489739c465c8af336599e7

Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---

diff --git a/hw/e1000.c b/hw/e1000.c
index e772c8e3f..8e097f12c 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -597,7 +597,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
                 memmove(tp->data, tp->header, hdr);
                 tp->size = hdr;
             }
-        } while (split_size -= bytes);
+            split_size -= bytes;
+        } while (bytes && split_size);
     } else if (!tp->tse && tp->cptse) {
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentation error\n");