[app-emulation/qemu] sync with tree

app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch

@@ -0,0 +1,47 @@
+From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 8 Apr 2016 11:33:48 +0530
+Subject: [PATCH] net: stellaris_enet: check packet length against receive
+ buffer
+
+When receiving packets over Stellaris ethernet controller, it
+uses receive buffer of size 2048 bytes. In case the controller
+accepts large(MTU) packets, it could lead to memory corruption.
+Add check to avoid it.
+
+Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/net/stellaris_enet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
+index 84cf60b..6880894 100644
+--- a/hw/net/stellaris_enet.c
++++ b/hw/net/stellaris_enet.c
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
+     n = s->next_packet + s->np;
+     if (n >= 31)
+         n -= 31;
+-    s->np++;
+ 
++    if (size >= sizeof(s->rx[n].data) - 6) {
++        /* If the packet won't fit into the
++         * emulated 2K RAM, this is reported
++         * as a FIFO overrun error.
++         */
++        s->ris |= SE_INT_FOV;
++        stellaris_enet_update(s);
++        return -1;
++    }
++
++    s->np++;
+     s->rx[n].len = size + 6;
+     p = s->rx[n].data;
+     *(p++) = (size + 6);
+-- 
+2.7.4
+