@@ -728,7 +728,8 @@ e1000e_process_tx_desc(E1000ECore *core,
addr = le64_to_cpu(dp->buffer_addr);
if (!tx->skip_cp) {
- if (!net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
+ if (net_tx_pkt_exceed_max_fragments(tx->tx_pkt) ||
+ !net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
tx->skip_cp = true;
}
}
@@ -650,7 +650,8 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
data_len = (txd.len > 0) ? txd.len : VMXNET3_MAX_TX_BUF_SIZE;
data_pa = txd.addr;
- if (!net_tx_pkt_add_raw_fragment(s->tx_pkt,
+ if (net_tx_pkt_exceed_max_fragments(s->tx_pkt) ||
+ !net_tx_pkt_add_raw_fragment(s->tx_pkt,
data_pa,
data_len)) {
s->skip_current_tx_pkt = true;
This patch adds a check in both e1000e and vmxnet3 devices to skip the packet if the current data fragment exceeds max_raw_frags, preventing net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags. Reported-by: Ziming Zhang <ezrakiez@gmail.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> --- hw/net/e1000e_core.c | 3 ++- hw/net/vmxnet3.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-)