@@ -814,6 +814,7 @@ dist_patch_DATA = \
%D%/packages/patches/qemu-CVE-2016-8576.patch \
%D%/packages/patches/qemu-CVE-2016-8577.patch \
%D%/packages/patches/qemu-CVE-2016-8578.patch \
+ %D%/packages/patches/qemu-CVE-2016-8910.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
new file mode 100644
@@ -0,0 +1,30 @@
+From: Prasad J Pandit <ppandit@redhat.com>
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson <address@hidden>
+Signed-off-by: Prasad J Pandit <ppandit@redhat.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+ int txcount = 0;
+
+- while (rtl8139_cplus_transmit_one(s))
++ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+ {
+ ++txcount;
+ }
+--
+2.7.4
+
@@ -79,7 +79,8 @@
"0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))
(patches (search-patches "qemu-CVE-2016-8576.patch"
"qemu-CVE-2016-8577.patch"
- "qemu-CVE-2016-8578.patch"))))
+ "qemu-CVE-2016-8578.patch"
+ "qemu-CVE-2016-8910.patch"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like: