From 47882fa4975bf0b58dd74474329fdd7154e8f04c Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 16 Aug 2016 16:58:01 +0530
Subject: [PATCH 1/2] net: vmxnet: use g_new for pkt initialisation

When network transport abstraction layer initialises pkt, the maximum
fragmentation count is not checked. This could lead to an integer
overflow causing a NULL pointer dereference. Replace g_malloc() with
g_new() to catch the multiplication overflow.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/net_tx_pkt.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 53dfaa292c..20b25496e5 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -65,10 +65,9 @@ void net_tx_pkt_init(struct NetTxPkt **pkt, PCIDevice *pci_dev,
 
     p->pci_dev = pci_dev;
 
-    p->vec = g_malloc((sizeof *p->vec) *
-        (max_frags + NET_TX_PKT_PL_START_FRAG));
+    p->vec = g_new(struct iovec, max_frags + NET_TX_PKT_PL_START_FRAG);
 
-    p->raw = g_malloc((sizeof *p->raw) * max_frags);
+    p->raw = g_new(struct iovec, max_frags);
 
     p->max_payload_frags = max_frags;
     p->max_raw_frags = max_frags;

From e9e0a5854b6dc888f44e7e280a007326714199a6 Mon Sep 17 00:00:00 2001
From: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Date: Thu, 18 Aug 2016 11:23:25 +0800
Subject: [PATCH 2/2] net/net: properly handle multiple packets in
 net_fill_rstate()

When network is busy, we will receive multiple packets at one time. In
that situation, we should keep trying to do the receiving instead of
finalizing only the first packet.

Signed-off-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/net.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/net.c b/net/net.c
index c124b11e4d..d51cb29882 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1602,9 +1602,8 @@ void net_socket_rs_init(SocketReadState *rs,
 
 /*
  * Returns
- * 0: SocketReadState is not ready
- * 1: SocketReadState is ready
- * otherwise error occurs
+ * 0: success
+ * -1: error occurs
  */
 int net_fill_rstate(SocketReadState *rs, const uint8_t *buf, int size)
 {
@@ -1652,10 +1651,11 @@ int net_fill_rstate(SocketReadState *rs, const uint8_t *buf, int size)
                 if (rs->finalize) {
                     rs->finalize(rs);
                 }
-                return 1;
             }
             break;
         }
     }
+
+    assert(size == 0);
     return 0;
 }