> On 11 Aug 2016, at 11:08 AM, Dmitry Fleytman <dmi...@daynix.com> wrote:
>
>
> Acked-by: Dmitry Fleytman <dmi...@daynix.com>
Oops, please ignore this ACK, I replied to the wrong e-mail.
As far as I see max_frags for VMXNET3 is a size of device’s TX ring so this
will always assert.
I don’t think we need this limitation in the device code. Maximum number of
fragments is an internal knowledge of network backend.
~Dmitry
>
>> On 10 Aug 2016, at 23:38 PM, P J P <ppan...@redhat.com> wrote:
>>
>> From: Li Qiang <liqiang...@360.cn>
>>
>> When net transport abstraction layer initialises the pkt,
>> the maximum fragmentation count is not checked. This could
>> lead to an integer overflow causing a NULL pointer dereference.
>> Add check to avoid it.
>>
>> Reported-by: Li Qiang <liqiang...@360.cn>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>> hw/net/net_tx_pkt.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
>> index 53dfaa2..7ea3c17 100644
>> --- a/hw/net/net_tx_pkt.c
>> +++ b/hw/net/net_tx_pkt.c
>> @@ -58,9 +58,12 @@ struct NetTxPkt {
>> bool is_loopback;
>> };
>>
>> +#define NET_PKT_MAX_FRAGS 16 /* ref: MAX_SKB_FRAGS in kernel driver */
>> +
>> void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev,
>> uint32_t max_frags, bool has_virt_hdr)
>> {
>> + assert(max_frags <= NET_PKT_MAX_FRAGS);
>> struct NetTxPkt *p = g_malloc0(sizeof *p);
>>
>> p->pci_dev = pci_dev;
>> --
>> 2.5.5
>>
>
