| Message ID | 1471346881-16679-1-git-send-email-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
acked-by: Dmitry Fleytman <dmitry@daynix.com> > On 16 Aug 2016, at 14:28, P J P <ppandit@redhat.com> wrote: > > From: Li Qiang <liqiang6-s@360.cn> > > When network transport abstraction layer initialises pkt, the maximum > fragmentation count is not checked. This could lead to an integer > overflow causing a NULL pointer dereference. Replace g_malloc() with > g_new() to catch the multiplication overflow. > > Reported-by: Li Qiang <liqiang6-s@360.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/net_tx_pkt.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > Update as per review: > -> https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02544.html > > diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c > index 53dfaa2..20b2549 100644 > --- a/hw/net/net_tx_pkt.c > +++ b/hw/net/net_tx_pkt.c > @@ -65,10 +65,9 @@ void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev, > > p->pci_dev = pci_dev; > > - p->vec = g_malloc((sizeof *p->vec) * > - (max_frags + NET_TX_PKT_PL_START_FRAG)); > + p->vec = g_new(struct iovec, max_frags + NET_TX_PKT_PL_START_FRAG); > > - p->raw = g_malloc((sizeof *p->raw) * max_frags); > + p->raw = g_new(struct iovec, max_frags); > > p->max_payload_frags = max_frags; > p->max_raw_frags = max_frags; > -- > 2.5.5 >
On 2016年08月16日 19:29, Dmitry Fleytman wrote: > acked-by: Dmitry Fleytman <dmitry@daynix.com> > >> On 16 Aug 2016, at 14:28, P J P <ppandit@redhat.com> wrote: >> >> From: Li Qiang <liqiang6-s@360.cn> >> >> When network transport abstraction layer initialises pkt, the maximum >> fragmentation count is not checked. This could lead to an integer >> overflow causing a NULL pointer dereference. Replace g_malloc() with >> g_new() to catch the multiplication overflow. >> >> Reported-by: Li Qiang <liqiang6-s@360.cn> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> >> --- >> hw/net/net_tx_pkt.c | 5 ++--- >> 1 file changed, 2 insertions(+), 3 deletions(-) >> >> Update as per review: >> -> https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02544.html >> >> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c >> index 53dfaa2..20b2549 100644 >> --- a/hw/net/net_tx_pkt.c >> +++ b/hw/net/net_tx_pkt.c >> @@ -65,10 +65,9 @@ void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev, >> >> p->pci_dev = pci_dev; >> >> - p->vec = g_malloc((sizeof *p->vec) * >> - (max_frags + NET_TX_PKT_PL_START_FRAG)); >> + p->vec = g_new(struct iovec, max_frags + NET_TX_PKT_PL_START_FRAG); >> >> - p->raw = g_malloc((sizeof *p->raw) * max_frags); >> + p->raw = g_new(struct iovec, max_frags); >> >> p->max_payload_frags = max_frags; >> p->max_raw_frags = max_frags; >> -- >> 2.5.5 >> Applied, thanks.
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 53dfaa2..20b2549 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -65,10 +65,9 @@ void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev, p->pci_dev = pci_dev; - p->vec = g_malloc((sizeof *p->vec) * - (max_frags + NET_TX_PKT_PL_START_FRAG)); + p->vec = g_new(struct iovec, max_frags + NET_TX_PKT_PL_START_FRAG); - p->raw = g_malloc((sizeof *p->raw) * max_frags); + p->raw = g_new(struct iovec, max_frags); p->max_payload_frags = max_frags; p->max_raw_frags = max_frags;