Message ID | 20201127154524.1902024-3-philmd@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | net: Do not accept packets with invalid huge size | expand |
On 2020/11/27 下午11:45, Philippe Mathieu-Daudé wrote: > Ensure no packet bigger then NET_BUFSIZE is queued via > qemu_net_queue_append*() by adding assertions. > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > net/queue.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/queue.c b/net/queue.c > index 221a1c87961..94b98b19ef9 100644 > --- a/net/queue.c > +++ b/net/queue.c > @@ -102,6 +102,8 @@ static void qemu_net_queue_append(NetQueue *queue, > if (queue->nq_count >= queue->nq_maxlen && !sent_cb) { > return; /* drop if queue full and no callback */ > } > + > + assert(size <= NET_BUFSIZE); > packet = g_malloc(sizeof(NetPacket) + size); > packet->sender = sender; > packet->flags = flags; > @@ -131,6 +133,7 @@ void qemu_net_queue_append_iov(NetQueue *queue, > max_len += iov[i].iov_len; > } > > + assert(max_len <= NET_BUFSIZE); > packet = g_malloc(sizeof(NetPacket) + max_len); > packet->sender = sender; > packet->sent_cb = sent_cb; Anyway to avoid the assert here? Thanks
diff --git a/net/queue.c b/net/queue.c index 221a1c87961..94b98b19ef9 100644 --- a/net/queue.c +++ b/net/queue.c @@ -102,6 +102,8 @@ static void qemu_net_queue_append(NetQueue *queue, if (queue->nq_count >= queue->nq_maxlen && !sent_cb) { return; /* drop if queue full and no callback */ } + + assert(size <= NET_BUFSIZE); packet = g_malloc(sizeof(NetPacket) + size); packet->sender = sender; packet->flags = flags; @@ -131,6 +133,7 @@ void qemu_net_queue_append_iov(NetQueue *queue, max_len += iov[i].iov_len; } + assert(max_len <= NET_BUFSIZE); packet = g_malloc(sizeof(NetPacket) + max_len); packet->sender = sender; packet->sent_cb = sent_cb;
Ensure no packet bigger then NET_BUFSIZE is queued via qemu_net_queue_append*() by adding assertions. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- net/queue.c | 3 +++ 1 file changed, 3 insertions(+)