On 12 August 2016 at 02:21, 李强 <liqiang...@360.cn> wrote:
> Hello Dmitry,
>
> I don't see the assert for 'max_frags' in vmxnet device emulation. Could you
> please point it out?
>
> In my PoC, I set it to '0x20000000', and in vmxnet_tx_pkt_init() the
> 'p->raw' will be NULL because of an integer overflow(in x86). And this will
> bypass all the assert, and in
> vmxnet_tx_pkt_add_raw_fragment(), will cause an NULL pointer reference.
>
> void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
> bool has_virt_hdr)
> {
> struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
>
> p->vec = g_malloc((sizeof *p->vec) *
> (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
>
> p->raw = g_malloc((sizeof *p->raw) * max_frags);
>
> *pkt = p;
> }
If the problem you are trying to guard against is that
the multiply in the argument to g_malloc() overflows,
then the best way to fix that I think is to use
g_new() instead.
thanks
-- PMM
