From 6e6215b3ad0c8eac918bca9e2b5bb661e27f2fed Mon Sep 17 00:00:00 2001
From: zhouli57 <zhouli57@huawei.com>
Date: Sat, 18 Dec 2021 09:39:57 +0800
Subject: [PATCH] net: eepro100: validate various address
 valuesi(CVE-2021-20255)

fix CVE-2021-20255

patch link: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

fix CVE-2021-20255, sync patch from ostms platform.

Signed-off-by: zhouli57 <zhouli57@huawei.com>
Signed-off-by: Yan Wang <wangyan122@huawei.com>
---
 hw/net/eepro100.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index 69e1c4bb89..f6204ec059 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -279,6 +279,9 @@ typedef struct {
     /* Quasi static device properties (no need to save them). */
     uint16_t stats_size;
     bool has_extended_tcb_support;
+
+    /* Flag to avoid recursions. */
+    bool busy;
 } EEPRO100State;
 
 /* Word indices in EEPROM. */
@@ -844,6 +847,14 @@ static void action_command(EEPRO100State *s)
        Therefore we limit the number of iterations. */
     unsigned max_loop_count = 16;
 
+    if (s->busy) {
+        /* Prevent recursions. */
+        logout("recursion in %s:%u\n", __FILE__, __LINE__);
+        return;
+    }
+
+    s->busy = true;
+
     for (;;) {
         bool bit_el;
         bool bit_s;
@@ -940,6 +951,7 @@ static void action_command(EEPRO100State *s)
     }
     TRACE(OTHER, logout("CU list empty\n"));
     /* List is empty. Now CU is idle or suspended. */
+    s->busy = false;
 }
 
 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
-- 
2.27.0