From: Li Qiang <liqiang...@360.cn>
When net transport abstraction layer initialises the pkt,
the maximum fragmentation count is not checked. This could
lead to an integer overflow causing a NULL pointer dereference.
Add check to avoid it.
Reported-by: Li Qiang <liqiang...@360.cn>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hw/net/net_tx_pkt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 53dfaa2..7ea3c17 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -58,9 +58,12 @@ struct NetTxPkt {
bool is_loopback;
};
+#define NET_PKT_MAX_FRAGS 16 /* ref: MAX_SKB_FRAGS in kernel driver */
+
void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev,
uint32_t max_frags, bool has_virt_hdr)
{
+ assert(max_frags <= NET_PKT_MAX_FRAGS);
struct NetTxPkt *p = g_malloc0(sizeof *p);
p->pci_dev = pci_dev;
--
2.5.5
