debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch

   1 From c2f17c0e4754b5140fb79371dc8cb7973ff5d1b0 Mon Sep 17 00:00:00 2001
   2 From: Li Qiang <liqiang6-s@360.cn>
   3 Date: Tue, 16 Aug 2016 16:58:01 +0530
   4 Subject: [PATCH 3/5] net: vmxnet: use g_new for pkt initialisation
   5
   6 When network transport abstraction layer initialises pkt, the maximum
   7 fragmentation count is not checked. This could lead to an integer
   8 overflow causing a NULL pointer dereference. Replace g_malloc() with
   9 g_new() to catch the multiplication overflow.
  10
  11 Reported-by: Li Qiang <liqiang6-s@360.cn>
  12 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  13 Acked-by: Dmitry Fleytman <dmitry@daynix.com>
  14 Signed-off-by: Jason Wang <jasowang@redhat.com>
  15 ---
  16  hw/net/vmxnet_tx_pkt.c | 5 ++---
  17  1 file changed, 2 insertions(+), 3 deletions(-)
  18
  19 diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
  20 index f4d0f5f..9152444 100644
  21 --- a/hw/net/vmxnet_tx_pkt.c
  22 +++ b/hw/net/vmxnet_tx_pkt.c
  23 @@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
  24  {
  25      struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
  26
  27 -    p->vec = g_malloc((sizeof *p->vec) *
  28 -        (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
  29 +    p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
  30
  31 -    p->raw = g_malloc((sizeof *p->raw) * max_frags);
  32 +    p->raw = g_new(struct iovec, max_frags);
  33
  34      p->max_payload_frags = max_frags;
  35      p->max_raw_frags = max_frags;
  36 --
  37 2.1.4
  38