Do not allow qemu_send_packet*() and qemu_net_queue_send() functions to accept packets bigger then NET_BUFSIZE.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]> --- We have to put a limit somewhere. NET_BUFSIZE is defined as: /* Maximum GSO packet size (64k) plus plenty of room for * the ethernet and virtio_net headers */ #define NET_BUFSIZE (4096 + 65536) If we do want to accept bigger packets (i.e. multiple GSO packets in a IOV), we could use INT32_MAX as limit... --- net/net.c | 4 ++++ net/queue.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/net/net.c b/net/net.c index 6a2c3d95670..f29bfac2b11 100644 --- a/net/net.c +++ b/net/net.c @@ -644,6 +644,10 @@ static ssize_t qemu_send_packet_async_with_flags(NetClientState *sender, qemu_hexdump(stdout, "net", buf, size); #endif + if (size > NET_BUFSIZE) { + return -1; + } + if (sender->link_down || !sender->peer) { return size; } diff --git a/net/queue.c b/net/queue.c index 19e32c80fda..221a1c87961 100644 --- a/net/queue.c +++ b/net/queue.c @@ -191,6 +191,10 @@ ssize_t qemu_net_queue_send(NetQueue *queue, { ssize_t ret; + if (size > NET_BUFSIZE) { + return -1; + } + if (queue->delivering || !qemu_can_send_packet(sender)) { qemu_net_queue_append(queue, sender, flags, data, size, sent_cb); return 0; -- 2.26.2
