On 8/3/21 11:33 AM, Thomas Huth wrote:
> On 05/07/2021 10.40, Philippe Mathieu-Daudé wrote:
>> Our infrastructure can handle fragmented packets up to
>> NET_MAX_FRAG_SG_LIST (64) pieces. This hard limit has
>> been proven enough in production for years. If it is
>> reached, it is likely an evil crafted packet. Discard it.
>>
>> Include the qtest reproducer provided by Alexander Bulekov:
>>
>>    $ make check-qtest-i386
>>    ...
>>    Running test qtest-i386/fuzz-vmxnet3-test
>>    qemu-system-i386: net/eth.c:334: void
>> eth_setup_ip4_fragmentation(const void *, size_t, void *, size_t,
>> size_t, size_t, _Bool):
>>    Assertion `frag_offset % IP_FRAG_UNIT_SIZE == 0' failed.
>>
>> Cc: qemu-sta...@nongnu.org
>> Reported-by: OSS-Fuzz (Issue 35799)
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/460
>> Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
>> ---
>>   hw/net/net_tx_pkt.c             |   8 ++
>>   tests/qtest/fuzz-vmxnet3-test.c | 195 ++++++++++++++++++++++++++++++++
>>   MAINTAINERS                     |   1 +
>>   tests/qtest/meson.build         |   1 +
>>   4 files changed, 205 insertions(+)
>>   create mode 100644 tests/qtest/fuzz-vmxnet3-test.c
> 
> Reviewed-by: Thomas Huth <th...@redhat.com>
> 
> Jason, I think this would even still qualify for QEMU v6.1 ?

Yes, easy one for 6.1.


Reply via email to