net: limit allocation in nc_sendv_compat

we only need to allocate enough memory to hold the packet. This might be less than NET_BUFSIZE. Additionally fail early if the packet is larger than NET_BUFSIZE. Signed-off-by: N Peter Lieven <pl@kamp.de> Reviewed-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>

net: limit allocation in nc_sendv_compat
we only need to allocate enough memory to hold the packet. This might be less than NET_BUFSIZE. Additionally fail early if the packet is larger than NET_BUFSIZE. Signed-off-by: N Peter Lieven <pl@kamp.de> Reviewed-by: N Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com>
47f9f158 · Peter Lieven · Jason Wang · 584613ea · 47f9f158
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

net/net.c net/net.c +6 -2

未找到文件。
--- a/net/net.c
+++ b/net/net.c
@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov,
        buffer = iov[0].iov_base;
        offset = iov[0].iov_len;
    } else {
-        buf = g_new(uint8_t, NET_BUFSIZE);
+        offset = iov_size(iov, iovcnt);
+        if (offset > NET_BUFSIZE) {
+            return -1;
+        }
+        buf = g_malloc(offset);
        buffer = buf;
-        offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE);
+        offset = iov_to_buf(iov, iovcnt, 0, buf, offset);
    }

    if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) {