diff options
author | Stu Miller <slackbuilds@go4it2day.com> | 2012-05-13 11:28:54 -0500 |
---|---|---|
committer | Erik Hanson <erik@slackbuilds.org> | 2012-05-14 13:13:58 -0500 |
commit | fbbed6ecf52101bc99a190daef08b1faf2c0a858 (patch) | |
tree | 1ad06372f7fa88ccabf3f35c9367475176f562be /system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch | |
parent | c7c23a0899b7b9c8c4ef038e2850e685ab87aa3a (diff) | |
download | slackbuilds-fbbed6ecf52101bc99a190daef08b1faf2c0a858.tar.gz |
system/qemu-kvm: Updated for version 1.0.1.
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
Diffstat (limited to 'system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch')
-rw-r--r-- | system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch b/system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch deleted file mode 100644 index bd2bdc7425..0000000000 --- a/system/qemu-kvm/patches/qemu-kvm-1.0-CVE-2012-029.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001 -From: Anthony Liguori <aliguori@us.ibm.com> -Date: Mon, 23 Jan 2012 07:30:43 -0600 -Subject: [PATCH 26/26] e1000: bounds packet size against buffer size - -Otherwise we can write beyond the buffer and corrupt memory. This is tracked -as CVE-2012-0029. - -Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> ---- - hw/e1000.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/hw/e1000.c b/hw/e1000.c -index 986ed9c..e164d79 100644 ---- a/hw/e1000.c -+++ b/hw/e1000.c -@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - bytes = split_size; - if (tp->size + bytes > msh) - bytes = msh - tp->size; -+ -+ bytes = MIN(sizeof(tp->data) - tp->size, bytes); - pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); - if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) - memmove(tp->header, tp->data, hdr); -@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentaion Error\n"); - } else { -+ split_size = MIN(sizeof(tp->data) - tp->size, split_size); - pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); - tp->size += split_size; - } --- -1.7.7.6 - |