hw/net/vmxnet3: Fix guest-triggerable assert()

The assert() that checks for valid MTU sizes can be triggered by the guest (e.g. with the reproducer code from the bug ticket https://gitlab.com/qemu-project/qemu/-/issues/517 ). Let's avoid this problem by simply logging the error and refusing to activate the device instead. Fixes: d05dcd9 ("net: vmxnet3: validate configuration values during activate") Signed-off-by: Thomas Huth <thuth@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> [Mjt: change format specifier from %d to %u for uint32_t argument] (cherry picked from commit 90a0778) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
qemu · Sep 11, 2023 · ebac7b1 · ebac7b1
1 parent 721c4c8
commit ebac7b1
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
@@ -1441,7 +1441,10 @@ static void vmxnet3_activate_device(VMXNET3State *s)
     vmxnet3_setup_rx_filtering(s);
     /* Cache fields from shared memory */
     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
-    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU);
+    if (s->mtu < VMXNET3_MIN_MTU || s->mtu > VMXNET3_MAX_MTU) {
+        qemu_log_mask(LOG_GUEST_ERROR, "vmxnet3: Bad MTU size: %u\n", s->mtu);
+        return;
+    }
     VMW_CFPRN("MTU is %u", s->mtu);
 
     s->max_rx_frags =