[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_
From: |
Michael Tokarev |
Subject: |
[PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood |
Date: |
Wed, 22 Nov 2023 21:09:40 +0300 |
User-agent: |
Mozilla Thunderbird |
Did this lost this CVE-2022-36648 fix?
https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html
rocker_tlv_parse_nested could return early because of no group ids in
the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
for-loop will deref the NULL pointer.
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: <arayz_w@icloud.com>
---
hw/net/rocker/rocker_of_dpa.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index b3b8c5bb6d..1611b79227 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2039,6 +2039,11 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa,
OfDpaGroup *group,
rocker_tlv_parse_nested(tlvs, group->l2_flood.group_count,
group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);
+ if (!tlvs) {
+ err = -ROCKER_EINVAL;
+ goto err_out;
+ }
+
for (i = 0; i < group->l2_flood.group_count; i++) {
group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);
}
--
2.35.3
- [PATCH] hw/net/rocker: avoid NULL pointer dereference in of_dpa_cmd_add_l2_flood,
Michael Tokarev <=