From: Fiona Ebner Date: Thu, 25 Aug 2022 09:29:10 +0000 (+0200) Subject: hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value X-Git-Tag: coverity-fixes-pull-request~90^2~4 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=099a63828130843741d317cb28e936f468b2b53b;p=qemu-nvme.git hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value Currently, VMXNET3_MAX_MTU itself (being 9000) is not considered a valid value for the MTU, but a guest running ESXi 7.0 might try to set it and fail the assert [0]. In the Linux kernel, dev->max_mtu itself is a valid value for the MTU and for the vmxnet3 driver it's 9000, so a guest running Linux will also fail the assert when trying to set an MTU of 9000. VMXNET3_MAX_MTU and s->mtu don't seem to be used in relation to buffer allocations/accesses, so allowing the upper limit itself as a value should be fine. [0]: https://forum.proxmox.com/threads/114011/ Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate (CVE-2021-20203)") Signed-off-by: Fiona Ebner Signed-off-by: Jason Wang --- diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index d2ab527ef4..56559cda24 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) vmxnet3_setup_rx_filtering(s); /* Cache fields from shared memory */ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); - assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU); VMW_CFPRN("MTU is %u", s->mtu); s->max_rx_frags =