This patchset fixes assertion failures in e1000e_write_payload_frag_to_rx_buffers(). There turn out to be two ways this assert could be triggered.
The first is the one reported in https://gitlab.com/qemu-project/qemu/-/issues/537 where a malicious guest could set up the device into loopback mode and then send a carefully sized packet that trips a bug in the logic in e1000e_write_packet_to_guest() that tries to calculate how much data it is going to put into an RX descriptor, causing us to hit the assertion. The second is one I spotted by code inspection, where the assert is slightly over-eager and could assert in one valid case of a just exactly large enough packet. Patch 1 fixes what I believe to be an incorrect-behaviour bug for descriptors with NULL buffer addresses, largely because that makes the following patch to fix the assertion less awkward. thanks -- PMM Peter Maydell (3): hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors hw/net/e1000e_core: Correct rx oversize packet checks hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 26 deletions(-) -- 2.43.0
