diff mbox series

[2/2] hw/net: check max_raw_frags in e1000e and vmxnet3 devices

Message ID 20200727170838.1101775-3-mcascell@redhat.com (mailing list archive)
State New, archived
Headers show
Series assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c | expand

Commit Message

Mauro Matteo Cascella July 27, 2020, 5:08 p.m. UTC
This patch adds a check in both e1000e and vmxnet3 devices to skip the packet
if the current data fragment exceeds max_raw_frags, preventing
net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags.

Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
 hw/net/e1000e_core.c | 3 ++-
 hw/net/vmxnet3.c     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index bcd186cac5..c573a30d63 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -728,7 +728,8 @@  e1000e_process_tx_desc(E1000ECore *core,
     addr = le64_to_cpu(dp->buffer_addr);
 
     if (!tx->skip_cp) {
-        if (!net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
+        if (net_tx_pkt_exceed_max_fragments(tx->tx_pkt) ||
+            !net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
             tx->skip_cp = true;
         }
     }
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 7a6ca4ec35..f482806037 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -650,7 +650,8 @@  static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
             data_len = (txd.len > 0) ? txd.len : VMXNET3_MAX_TX_BUF_SIZE;
             data_pa = txd.addr;
 
-            if (!net_tx_pkt_add_raw_fragment(s->tx_pkt,
+            if (net_tx_pkt_exceed_max_fragments(s->tx_pkt) ||
+                !net_tx_pkt_add_raw_fragment(s->tx_pkt,
                                                 data_pa,
                                                 data_len)) {
                 s->skip_current_tx_pkt = true;