On 2025/11/04 2:58, Peter Maydell wrote:
This patchset fixes assertion failures in
e1000e_write_payload_frag_to_rx_buffers(). There turn out to be two
ways this assert could be triggered.
The first is the one reported in
https://gitlab.com/qemu-project/qemu/-/issues/537 where a malicious
guest could set up the device into loopback mode and then send a
carefully sized packet that trips a bug in the logic in
e1000e_write_packet_to_guest() that tries to calculate how much data
it is going to put into an RX descriptor, causing us to hit the
assertion.
The second is one I spotted by code inspection, where the assert is
slightly over-eager and could assert in one valid case of a just
exactly large enough packet.
Patch 1 fixes what I believe to be an incorrect-behaviour bug
for descriptors with NULL buffer addresses, largely because
that makes the following patch to fix the assertion less awkward.
thanks
-- PMM
Peter Maydell (3):
hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX
descriptors
hw/net/e1000e_core: Correct rx oversize packet checks
hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers()
assert
hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++--------------
1 file changed, 59 insertions(+), 26 deletions(-)
For the whole series:
Reviewed-by: Akihiko Odaki <[email protected]>
