git.ipfire.org Git - thirdparty/qemu.git/commit

author	Dmitry Fleytman <dmitry@daynix.com>
	Thu, 16 Feb 2017 12:29:33 +0000 (14:29 +0200)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 16 Mar 2017 17:10:41 +0000 (12:10 -0500)
commit	7cfd9c114bdc39a9b94fb7a42058e421edd1d285
tree	19f15341a78d7909fe436b499ac53770b701dda3	tree
parent	bddf2232fc3fae26ee070280aa19595f8a437b6e	commit \| diff

NetRxPkt: Fix memory corruption on VLAN header stripping

This patch fixed a problem that was introduced in commit eb700029.

When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.

Devices affected by this problem: vmxnet3.

Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>