diff options
| author | Anastasia Belova <nabelova31@gmail.com> | 2025-06-02 11:57:17 +0300 |
|---|---|---|
| committer | Jason Wang <jasowang@redhat.com> | 2025-07-14 10:13:37 +0800 |
| commit | 110d0fa2d4d1f754242f6775baec43776a9adb35 (patch) | |
| tree | aeb4be33276d593a69f716f10c9a75c9876adb51 | |
| parent | 9a4e273ddec3927920c5958d2226c6b38b543336 (diff) | |
| download | qemu-110d0fa2d4d1f754242f6775baec43776a9adb35.zip qemu-110d0fa2d4d1f754242f6775baec43776a9adb35.tar.gz qemu-110d0fa2d4d1f754242f6775baec43776a9adb35.tar.bz2 | |
net: fix buffer overflow in af_xdp_umem_create()
s->pool has n_descs elements so maximum i should be
n_descs - 1. Fix the upper bound.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
Cc: qemu-stable@nongnu.org
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| -rw-r--r-- | net/af-xdp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/af-xdp.c b/net/af-xdp.c index 01c5fb9..d022534 100644 --- a/net/af-xdp.c +++ b/net/af-xdp.c @@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp) s->pool = g_new(uint64_t, n_descs); /* Fill the pool in the opposite order, because it's a LIFO queue. */ - for (i = n_descs; i >= 0; i--) { + for (i = n_descs - 1; i >= 0; i--) { s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE; } s->n_pool = n_descs; |