This patch adds a check in both e1000e and vmxnet3 devices to skip the packet if the current data fragment exceeds max_raw_frags, preventing net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags.
Reported-by: Ziming Zhang <ezrak...@gmail.com> Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> --- hw/net/e1000e_core.c | 3 ++- hw/net/vmxnet3.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index bcd186cac5..c573a30d63 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -728,7 +728,8 @@ e1000e_process_tx_desc(E1000ECore *core, addr = le64_to_cpu(dp->buffer_addr); if (!tx->skip_cp) { - if (!net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) { + if (net_tx_pkt_exceed_max_fragments(tx->tx_pkt) || + !net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) { tx->skip_cp = true; } } diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index 7a6ca4ec35..f482806037 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -650,7 +650,8 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx) data_len = (txd.len > 0) ? txd.len : VMXNET3_MAX_TX_BUF_SIZE; data_pa = txd.addr; - if (!net_tx_pkt_add_raw_fragment(s->tx_pkt, + if (net_tx_pkt_exceed_max_fragments(s->tx_pkt) || + !net_tx_pkt_add_raw_fragment(s->tx_pkt, data_pa, data_len)) { s->skip_current_tx_pkt = true; -- 2.26.2