+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+ | On 21/09/2016 15:45, P J P wrote: | > DPRINTF("tx_bd %x flags %04x len %d data %08x\n", | > addr, bd.flags, bd.length, bd.data); | > - if ((bd.flags & FEC_BD_R) == 0) { | > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) { | > /* Run out of descriptors to transmit. */ | > break; | > } | | Is this a bug?
Yes, a guest user can control the contents of buffer descriptor 'bd' and could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop run infinite iterations. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F