net: vmxnet: use g_new for pkt initialisation

When vmxnet transport abstraction layer initialises pkt, the maximum fragmentation count is not checked. This could lead to an integer overflow causing a NULL pointer dereference. Replace g_malloc() with g_new() to catch the multiplication overflow. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Li Qiang <liqiang6-s@360.cn> 2016-08-22 13:11:57 +0530
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2016-09-08 15:29:37 -0500
commit: cb3677cd50dcb07e74d0113337e40e9e3e14d728 (patch)
tree: 4c25d8caf4cb98440ac551ca2d0a61ee208e9aa1
parent: 93060258ae748573ca7197204125a2670047896d (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index 5ba2f5ea6c..849826b15e 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
 {
     struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
 
-    p->vec = g_malloc((sizeof *p->vec) *
-        (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
+    p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
 
-    p->raw = g_malloc((sizeof *p->raw) * max_frags);
+    p->raw = g_new(struct iovec, max_frags);
 
     p->max_payload_frags = max_frags;
     p->max_raw_frags = max_frags;
author	Li Qiang <liqiang6-s@360.cn>	2016-08-22 13:11:57 +0530
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2016-09-08 15:29:37 -0500
commit	cb3677cd50dcb07e74d0113337e40e9e3e14d728 (patch)
tree	4c25d8caf4cb98440ac551ca2d0a61ee208e9aa1
parent	93060258ae748573ca7197204125a2670047896d (diff)