+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| On 21/09/2016 15:45, P J P wrote:
| > DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
| > addr, bd.flags, bd.length, bd.data);
| > - if ((bd.flags & FEC_BD_R) == 0) {
| > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) {
| > /* Run out of descriptors to transmit. */
| > break;
| > }
|
| Is this a bug?
Yes, a guest user can control the contents of buffer descriptor 'bd' and
could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop
run infinite iterations.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
