From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37395) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bzDtP-0000Wd-AP for qemu-devel@nongnu.org; Tue, 25 Oct 2016 22:24:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bzDtO-0000e1-Ju for qemu-devel@nongnu.org; Tue, 25 Oct 2016 22:24:39 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49288) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bzDtO-0000dq-EH for qemu-devel@nongnu.org; Tue, 25 Oct 2016 22:24:38 -0400 From: Jason Wang Date: Wed, 26 Oct 2016 10:24:09 +0800 Message-Id: <1477448651-4474-8-git-send-email-jasowang@redhat.com> In-Reply-To: <1477448651-4474-1-git-send-email-jasowang@redhat.com> References: <1477448651-4474-1-git-send-email-jasowang@redhat.com> Subject: [Qemu-devel] [PULL 7/9] net: vmxnet: initialise local tx descriptor List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: Li Qiang , Prasad J Pandit , Jason Wang From: Li Qiang In Vmxnet3 device emulator while processing transmit(tx) queue, when it reaches end of packet, it calls vmxnet3_complete_packet. In that local 'txcq_descr' object is not initialised, which could leak host memory bytes a guest. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit Reviewed-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/vmxnet3.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index 90f6943..92f6af9 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); + memset(&txcq_descr, 0, sizeof(txcq_descr)); txcq_descr.txdIdx = tx_ridx; txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); -- 2.7.4