| commit | df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6 | |
| author | Dmitry Fleytman <dmitry@daynix.com> | |
| Thu, 16 Feb 2017 12:29:33 +0000 (16 14:29 +0200) | ||
| committer | Jason Wang <jasowang@redhat.com> | |
| Mon, 6 Mar 2017 03:46:02 +0000 (6 11:46 +0800) | ||
| tree | 7831c4a9aa99f757f9016b48504258b28f60abcd | treesnapshot (tar.gz zip) |
| parent | 566342c3125ac2e73abd36c650222318164517ed | commitdiff |
NetRxPkt: Fix memory corruption on VLAN header stripping
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| hw/net/net_rx_pkt.c | diffblobblamehistory |