[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds chec
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH] net: rocker: fix an incorrect array bounds check |
Date: |
Tue, 22 Dec 2015 19:13:11 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
On 22/12/2015 18:26, P J P wrote:
> +-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+
> | > - if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
> | > + if (++iovcnt >= ROCKER_TX_FRAGS_MAX) {
> |
> | Doesn't this forbid some valid ROCKER_TX_FRAGS_MAX-element iovecs?
>
> forbid..? Sorry, I did not get the question.
>
> | The check should be moved before the assignment to iov[iovcnt].iov_len.
>
> You mean like below..?
>
> ===
> diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
> index c57f1a6..2e77e50 100644
> --- a/hw/net/rocker/rocker.c
> +++ b/hw/net/rocker/rocker.c
> @@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
> frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
> frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
>
> + if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
> + goto err_too_many_frags;
> + }
> iov[iovcnt].iov_len = frag_len;
> iov[iovcnt].iov_base = g_malloc(frag_len);
> if (!iov[iovcnt].iov_base) {
> @@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
> err = -ROCKER_ENXIO;
> goto err_bad_io;
> }
> -
> - if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
> - goto err_too_many_frags;
> - }
> + iovcnt++;
> }
>
> if (iovcnt) {
> ===
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
>
Yes, can you submit it as v2?
Paolo