[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check
|
From: |
P J P |
|
Subject: |
[Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check |
|
Date: |
Wed, 23 Dec 2015 00:54:18 +0530 (IST) |
Hello Paolo, all
Please see an updated patch below, as per suggestion in
-> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04057.html
===
From 344a487d637be20b3fb110bec36cb703e7f6ecaa Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Wed, 23 Dec 2015 00:40:13 +0530
Subject: [PATCH v2] net: rocker: fix an incorrect array bounds check
While processing transmit(tx) descriptors in 'tx_consume' routine
the switch emulator suffers from an off-by-one error, if a
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
fragments. Fix an incorrect bounds check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rocker/rocker.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index c57f1a6..2e77e50 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
+ goto err_too_many_frags;
+ }
iov[iovcnt].iov_len = frag_len;
iov[iovcnt].iov_base = g_malloc(frag_len);
if (!iov[iovcnt].iov_base) {
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
err = -ROCKER_ENXIO;
goto err_bad_io;
}
-
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
- goto err_too_many_frags;
- }
+ iovcnt++;
}
if (iovcnt) {
--
2.4.3
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
- [Qemu-devel] [PATCH v2] net: rocker: fix an incorrect array bounds check,
P J P <=