git.ipfire.org Git - thirdparty/qemu.git/commit

]> git.ipfire.org Git - thirdparty/qemu.git/commit

projects / thirdparty / qemu.git / commit

author	Stefan Hajnoczi <stefanha@redhat.com>
	Wed, 15 Jul 2015 16:36:15 +0000 (17:36 +0100)
committer	Stefan Hajnoczi <stefanha@redhat.com>
	Mon, 3 Aug 2015 12:08:07 +0000 (13:08 +0100)
commit	4240be45632db7831129f124bcf53c1223825b0f
tree	0454d63865924ce7747459ab306b94f1d73b91ec	tree \| snapshot
parent	c6296ea88df040054ccd781f3945fe103f8c7c17	commit \| diff

rtl8139: skip offload on short TCP header (CVE-2015-5165)

TCP Large Segment Offload accesses the TCP header in the packet.  If the
packet is too short we must not attempt to access header fields:

  tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
  int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

hw/net/rtl8139.c

diff | blob | blame | history

Mirror of https://git.qemu.org/git/qemu.git

RSS Atom