File CVE-2016-6888-qemuu-net-vmxnet3-integer-overflow-in-packet-initialisation-in-vmxnet3.patch of Package xen.4507

References: bsc#994772 CVE-2016-6888

When network transport abstraction layer initialises pkt, the maximum
fragmentation count is not checked. This could lead to an integer
overflow causing a NULL pointer dereference. Replace g_malloc() with
g_new() to catch the multiplication overflow.

Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Acked-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
 hw/net/net_tx_pkt.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
@@ -59,10 +59,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxP
 {
     struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
 
-    p->vec = g_malloc((sizeof *p->vec) *
-        (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
+    p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
 
-    p->raw = g_malloc((sizeof *p->raw) * max_frags);
+    p->raw = g_new(struct iovec, max_frags);
 
     p->max_payload_frags = max_frags;
     p->max_raw_frags = max_frags;

Places

File CVE-2016-6888-qemuu-net-vmxnet3-integer-overflow-in-packet-initialisation-in-vmxnet3.patch of Package xen.4507

Places