qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_


From: Michael Tokarev
Subject: [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood
Date: Wed, 22 Nov 2023 21:09:40 +0300
User-agent: Mozilla Thunderbird

Did this lost this CVE-2022-36648 fix?

https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html

rocker_tlv_parse_nested could return early because of no group ids in
the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
for-loop will deref the NULL pointer.

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: <arayz_w@icloud.com>
---
 hw/net/rocker/rocker_of_dpa.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index b3b8c5bb6d..1611b79227 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2039,6 +2039,11 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa,
OfDpaGroup *group,
     rocker_tlv_parse_nested(tlvs, group->l2_flood.group_count,
                             group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);

+    if (!tlvs) {
+        err = -ROCKER_EINVAL;
+        goto err_out;
+    }
+
     for (i = 0; i < group->l2_flood.group_count; i++) {
         group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);
     }
--
2.35.3



reply via email to

[Prev in Thread] Current Thread [Next in Thread]