From: Anastasia Belova <nabelova31@gmail.com>
Date: Mon, 2 Jun 2025 08:57:17 +0000 (+0300)
Subject: net: fix buffer overflow in af_xdp_umem_create()
X-Git-Tag: v10.1.0-rc0~22^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=110d0fa2d4d1f754242f6775baec43776a9adb35;p=thirdparty%2Fqemu.git

net: fix buffer overflow in af_xdp_umem_create()

s->pool has n_descs elements so maximum i should be
n_descs - 1. Fix the upper bound.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
Cc: qemu-stable@nongnu.org
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---

diff --git a/net/af-xdp.c b/net/af-xdp.c
index 01c5fb914e..d022534d76 100644
--- a/net/af-xdp.c
+++ b/net/af-xdp.c
@@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp)
 
     s->pool = g_new(uint64_t, n_descs);
     /* Fill the pool in the opposite order, because it's a LIFO queue. */
-    for (i = n_descs; i >= 0; i--) {
+    for (i = n_descs - 1; i >= 0; i--) {
         s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE;
     }
     s->n_pool = n_descs;