]>
Commit | Line | Data |
---|---|---|
95fd47ec OB |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | |
3 | Date: Sat, 1 Aug 2020 18:42:38 +0200 | |
4 | Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in | |
5 | net_tx_pkt_add_raw_fragment() | |
6 | ||
7 | An assertion failure issue was found in the code that processes network packets | |
8 | while adding data fragments into the packet context. It could be abused by a | |
9 | malicious guest to abort the QEMU process on the host. This patch replaces the | |
10 | affected assert() with a conditional statement, returning false if the current | |
11 | data fragment exceeds max_raw_frags. | |
12 | ||
13 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | |
14 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | |
15 | Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> | |
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | |
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | |
18 | (cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8) | |
19 | Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> | |
20 | --- | |
21 | hw/net/net_tx_pkt.c | 5 ++++- | |
22 | 1 file changed, 4 insertions(+), 1 deletion(-) | |
23 | ||
24 | diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c | |
25 | index 162f802dd7..54d4c3bbd0 100644 | |
26 | --- a/hw/net/net_tx_pkt.c | |
27 | +++ b/hw/net/net_tx_pkt.c | |
28 | @@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, | |
29 | hwaddr mapped_len = 0; | |
30 | struct iovec *ventry; | |
31 | assert(pkt); | |
32 | - assert(pkt->max_raw_frags > pkt->raw_frags); | |
33 | + | |
34 | + if (pkt->raw_frags >= pkt->max_raw_frags) { | |
35 | + return false; | |
36 | + } | |
37 | ||
38 | if (!len) { | |
39 | return true; | |
40 | -- | |
41 | 2.20.1 | |
42 |