From: Prasad J Pandit <p...@fedoraproject.org> While sending packets, the check that packet 'payload_len' is within 64kB limit, seems to happen only for GSO frames. It may lead to use-after-free or out-of-bounds access like issues when sending non-GSO frames. Check the 'payload_len' limit for all packets, irrespective of the gso type.
Reported-by: Alexander Bulekov <alx...@bu.edu> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/net/net_tx_pkt.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 162f802dd7..e66998a8f9 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -607,12 +607,10 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, NetClientState *nc) * Since underlying infrastructure does not support IP datagrams longer * than 64K we should drop such packets and don't even try to send */ - if (VIRTIO_NET_HDR_GSO_NONE != pkt->virt_hdr.gso_type) { - if (pkt->payload_len > - ETH_MAX_IP_DGRAM_LEN - - pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) { - return false; - } + if (pkt->payload_len > + ETH_MAX_IP_DGRAM_LEN - + pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) { + return false; } if (pkt->has_virt_hdr || -- 2.26.2