An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
It occurs in the code that processes network packets while adding data
fragments into packet context. This flaw could potentially be abused by
a malicious guest to abort the QEMU process on the host. This two patch
series does a couple of things:
- introduces a new function in net_tx_pkt.{c,h} to check the maximum number
of data fragments
- adds a check in both e1000e and vmxnet3 devices to skip the packet if the
current data fragment exceeds max_raw_frags, preventing
net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
Mauro Matteo Cascella (2):
hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
hw/net: check max_raw_frags in e1000e and vmxnet3 devices
hw/net/e1000e_core.c | 3 ++-
hw/net/net_tx_pkt.c | 5 +++++
hw/net/net_tx_pkt.h | 8 ++++++++
hw/net/vmxnet3.c | 3 ++-
4 files changed, 17 insertions(+), 2 deletions(-)
--
2.26.2
