1 files changed, 0 insertions, 49 deletions

diff --git a/gnu/packages/patches/qemu-CVE-2015-3209.patch b/gnu/packages/patches/qemu-CVE-2015-3209.patch
deleted file mode 100644
index 0bb726698c..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-3209.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Sun, 24 May 2015 10:53:44 +0200
-Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
-
-4096 is the maximum length per TMD and it is also currently the size of
-the relay buffer pcnet driver uses for sending the packet data to QEMU
-for further processing. With packet spanning multiple TMDs it can
-happen that the overall packet size will be bigger than sizeof(buffer),
-which results in memory corruption.
-
-Fix this by only allowing to queue maximum sizeof(buffer) bytes.
-
-This is CVE-2015-3209.
-
-[Fixed 3-space indentation to QEMU's 4-space coding standard.
---Stefan]
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reported-by: Matt Tait <matttait@google.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- hw/net/pcnet.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index bdfd38f..68b9981 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
-         }
- 
-         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
-+
-+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
-+           Note: this is not what real hw does */
-+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
-+            s->xmit_pos = -1;
-+            goto txdone;
-+        }
-+
-         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
-                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
-         s->xmit_pos += bcnt;
--- 
-2.2.1
-