>From Debian Security Announce: CVE-2007-1321 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow. The patch below is the patch used by the Debian package to fix this. Index: hw/ne2000.c =================================================================== --- hw/ne2000.c.orig 2007-05-16 06:42:14.000000000 +0300 +++ hw/ne2000.c 2007-05-16 06:42:15.000000000 +0300 @@ -230,7 +230,7 @@ static void ne2000_receive(void *opaque, { NE2000State *s = opaque; uint8_t *p; - int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -299,7 +299,11 @@ static void ne2000_receive(void *opaque, /* write packet data */ while (size > 0) { - avail = s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <= s->stop) + avail = s->stop - index; + else + avail = 0; len = size; if (len > avail) len = avail; -- .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :' : Debian developer | Electrical Engineer `. `' [EMAIL PROTECTED] | [EMAIL PROTECTED] `- people.debian.org/~aurel32 | www.aurel32.net