diff options
author | Peter Lieven <pl@kamp.de> | 2016-06-30 11:49:40 +0200 |
---|---|---|
committer | Jason Wang <jasowang@redhat.com> | 2016-09-27 17:54:22 +0800 |
commit | 47f9f15831faa549504ab9b035aaea44a02e5f95 (patch) | |
tree | 3beb277c083f7b88b669082268974e7e5afe6fc9 | |
parent | 584613eacb3840c1803e665ed7edd4ac186deced (diff) | |
download | qemu-47f9f15831faa549504ab9b035aaea44a02e5f95.zip qemu-47f9f15831faa549504ab9b035aaea44a02e5f95.tar.gz qemu-47f9f15831faa549504ab9b035aaea44a02e5f95.tar.bz2 |
net: limit allocation in nc_sendv_compat
we only need to allocate enough memory to hold the packet. This might be
less than NET_BUFSIZE. Additionally fail early if the packet is larger
than NET_BUFSIZE.
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
-rw-r--r-- | net/net.c | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov, buffer = iov[0].iov_base; offset = iov[0].iov_len; } else { - buf = g_new(uint8_t, NET_BUFSIZE); + offset = iov_size(iov, iovcnt); + if (offset > NET_BUFSIZE) { + return -1; + } + buf = g_malloc(offset); buffer = buf; - offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE); + offset = iov_to_buf(iov, iovcnt, 0, buf, offset); } if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) { |