diff mbox

[for-2.0] virtio-net: fix guest-triggerable buffer overrun

Message ID 5356720E.8000702@elastichosts.com
State New
Headers show

Commit Message

Alin Dobre April 22, 2014, 1:43 p.m. UTC 
Hello,

For the 1.6 branch, is this as straight forward as the following diff,
or is there anything I'm missing?

         if (s != mac_data.entries * ETH_ALEN) {

Cheers,
Alin.

Comments

Michael S. Tsirkin April 22, 2014, 3:24 p.m. UTC | #1 
On Tue, Apr 22, 2014 at 02:43:42PM +0100, Alin Dobre wrote:
> Hello,
> 
> For the 1.6 branch, is this as straight forward as the following diff,
> or is there anything I'm missing?

I think it's the same.

> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 5320aab..a42d241 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -655,7 +655,7 @@ static int virtio_net_handle_mac(VirtIONet *n,
> uint8_t cmd,
>          goto error;
>      }
> 
> -    if (n->mac_table.in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
> +    if (mac_data.entries <= MAC_TABLE_ENTRIES - n->mac_table.in_use) {
>          s = iov_to_buf(iov, iov_cnt, 0, n->mac_table.macs,
>                         mac_data.entries * ETH_ALEN);
>          if (s != mac_data.entries * ETH_ALEN) {
> 
> Cheers,
> Alin.
diff mbox

Patch

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 5320aab..a42d241 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -655,7 +655,7 @@  static int virtio_net_handle_mac(VirtIONet *n,
uint8_t cmd,
         goto error;
     }

-    if (n->mac_table.in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
+    if (mac_data.entries <= MAC_TABLE_ENTRIES - n->mac_table.in_use) {
         s = iov_to_buf(iov, iov_cnt, 0, n->mac_table.macs,
                        mac_data.entries * ETH_ALEN);