diff --git a/cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch b/cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f126c50514b0227ed829d0c4b6fbe3e7e6c413e --- /dev/null +++ b/cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch @@ -0,0 +1,44 @@ +From 5b6f7a8206312f176a63cb7e10fbd4e0b6ec6667 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Fri, 14 May 2021 10:39:58 +0800 +Subject: [PATCH] cadence_gem: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Alexander Bulekov +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/cadence_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c +index d412085884..52205f36be 100644 +--- a/hw/net/cadence_gem.c ++++ b/hw/net/cadence_gem.c +@@ -1221,8 +1221,8 @@ static void gem_transmit(CadenceGEMState *s) + /* Send the packet somewhere */ + if (s->phy_loop || (s->regs[GEM_NWCTRL] & + GEM_NWCTRL_LOCALLOOP)) { +- gem_receive(qemu_get_queue(s->nic), tx_packet, +- total_bytes); ++ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, ++ total_bytes); + } else { + qemu_send_packet(qemu_get_queue(s->nic), tx_packet, + total_bytes); +-- +2.27.0 + diff --git a/dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch b/dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000000000000000000000000000000000000..d35edf797348bbd27d6ea834ef33315fd29e7710 --- /dev/null +++ b/dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,42 @@ +From c0fb847c0dd1d9c995fa3be4008685db9426e8b6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 14 May 2021 10:24:53 +0800 +Subject: [PATCH] dp8393x: switch to use qemu_receive_packet() for loopback + packet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé + +Signed-off-by: Jiajie Li +--- + hw/net/dp8393x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c +index bdb0b3b2c2..a64da76bf3 100644 +--- a/hw/net/dp8393x.c ++++ b/hw/net/dp8393x.c +@@ -459,7 +459,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) + s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; + if (nc->info->can_receive(nc)) { + s->loopback_packet = 1; +- nc->info->receive(nc, s->tx_buffer, tx_len); ++ qemu_receive_packet(nc, s->tx_buffer, tx_len); + } + } else { + /* Transmit packet */ +-- +2.27.0 + diff --git a/e1000-switch-to-use-qemu_receive_packet-for-loopback.patch b/e1000-switch-to-use-qemu_receive_packet-for-loopback.patch new file mode 100644 index 0000000000000000000000000000000000000000..482dc86794e6c431f23cb67c4a132d07f12318c0 --- /dev/null +++ b/e1000-switch-to-use-qemu_receive_packet-for-loopback.patch @@ -0,0 +1,41 @@ +From 7da8e7152f7e79a993a27b21e6381d8a67d54b7a Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 14 May 2021 10:21:33 +0800 +Subject: [PATCH] e1000: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/e1000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index a023ceb27c..a99aa3ccc3 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) + + NetClientState *nc = qemu_get_queue(s->nic); + if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.27.0 + diff --git a/lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch b/lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000000000000000000000000000000000000..78257f2019ca339f3d03eccfc2a1662ffb212e37 --- /dev/null +++ b/lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,42 @@ +From dffe48c17a7d66b86a2504b81479f0e408c3e221 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Fri, 14 May 2021 10:41:41 +0800 +Subject: [PATCH] lan9118: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/lan9118.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index f6120be219..f1a1d2351e 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -662,7 +662,7 @@ static void do_tx_packet(lan9118_state *s) + /* FIXME: Honor TX disable, and allow queueing of packets. */ + if (s->phy_control & 0x4000) { + /* This assumes the receive routine doesn't touch the VLANClient. */ +- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } +-- +2.27.0 + diff --git a/net-introduce-qemu_receive_packet.patch b/net-introduce-qemu_receive_packet.patch new file mode 100644 index 0000000000000000000000000000000000000000..d59f758182e6c40cbf3fefe350db48380a1deab0 --- /dev/null +++ b/net-introduce-qemu_receive_packet.patch @@ -0,0 +1,167 @@ +From 53dffa2e38b52ea3de466bf26d016ac0fae531b5 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 14 May 2021 10:14:02 +0800 +Subject: [PATCH] net: introduce qemu_receive_packet() + +Fix CVE-2021-3416 + +Some NIC supports loopback mode and this is done by calling +nc->info->receive() directly which in fact suppresses the effort of +reentrancy check that is done in qemu_net_queue_send(). + +Unfortunately we can use qemu_net_queue_send() here since for loop +back there's no sender as peer, so this patch introduce a +qemu_receive_packet() which is used for implementing loopback mode +for a NIC with this check. + +NIC that supports loopback mode will be converted to this helper. + +Signed-off-by: Jason Wang +Signed-off-by: Jiajie Li +--- + include/net/net.h | 5 +++++ + include/net/queue.h | 8 ++++++++ + net/net.c | 38 +++++++++++++++++++++++++++++++------- + net/queue.c | 22 ++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 7 deletions(-) + +diff --git a/include/net/net.h b/include/net/net.h +index acf0451fc4..5609b2ecba 100644 +--- a/include/net/net.h ++++ b/include/net/net.h +@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); + void qemu_del_net_client(NetClientState *nc); + typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); + void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); ++int qemu_can_receive_packet(NetClientState *nc); + int qemu_can_send_packet(NetClientState *nc); + ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, + int iovcnt); + ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, + int iovcnt, NetPacketSent *sent_cb); + ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf,int size); ++ssize_t qemu_receive_packet_iov(NetClientState *nc, ++ const struct iovec *iov, ++ int iovcnt); + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); + ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, + int size, NetPacketSent *sent_cb); +diff --git a/include/net/queue.h b/include/net/queue.h +index c0269bb1dc..9f2f289d77 100644 +--- a/include/net/queue.h ++++ b/include/net/queue.h +@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, + + void qemu_del_net_queue(NetQueue *queue); + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size); ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt); ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/net/net.c b/net/net.c +index 7d4098254f..3b5631879c 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -514,6 +514,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) + #endif + } + ++int qemu_can_receive_packet(NetClientState *nc) ++{ ++ if (nc->receive_disabled) { ++ return 0; ++ } else if (nc->info->can_receive && ++ !nc->info->can_receive(nc)) { ++ return 0; ++ } ++ return 1; ++} ++ + int qemu_can_send_packet(NetClientState *sender) + { + int vm_running = runstate_is_running(); +@@ -526,13 +537,7 @@ int qemu_can_send_packet(NetClientState *sender) + return 1; + } + +- if (sender->peer->receive_disabled) { +- return 0; +- } else if (sender->peer->info->can_receive && +- !sender->peer->info->can_receive(sender->peer)) { +- return 0; +- } +- return 1; ++ return qemu_can_receive_packet(sender->peer); + } + + static ssize_t filter_receive_iov(NetClientState *nc, +@@ -665,6 +670,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + return qemu_send_packet_async(nc, buf, size, NULL); + } + ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive(nc->incoming_queue, buf, size); ++} ++ ++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, ++ int iovcnt) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); ++} ++ + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) + { + return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, +diff --git a/net/queue.c b/net/queue.c +index 61276ca4be..7c0b72c8ef 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, + return ret; + } + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver(queue, NULL, 0, data, size); ++} ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); ++} ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +-- +2.27.0 + diff --git a/pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch b/pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch new file mode 100644 index 0000000000000000000000000000000000000000..86f48636b890716e151c35301e565b899d2df7d9 --- /dev/null +++ b/pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch @@ -0,0 +1,43 @@ +From 278c72692d362a082a8f47337e5f15929134f3e2 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Fri, 14 May 2021 10:37:29 +0800 +Subject: [PATCH] pcnet: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/pcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 16683091c9..9e8d267536 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1249,7 +1249,7 @@ txagain: + if (BCR_SWSTYLE(s) == 1) + add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); + s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + s->looptest = 0; + } else { + if (s->nic) { +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 74ebe2d37398b332e940437a84517dc4208b8994..6137b69725d7f5983286a5636e3b99c90d3a5e64 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 36 +Release: 37 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -217,6 +217,15 @@ Patch0204: hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-register-when-.patch Patch0205: hw-sd-sdhci-Correctly-set-the-controller-status-for-.patch Patch0206: hw-sd-sdhci-Limit-block-size-only-when-SDHC_BLKSIZE-.patch Patch0207: hw-sd-sdhci-Reset-the-data-pointer-of-s-fifo_buffer-.patch +Patch0208: net-introduce-qemu_receive_packet.patch +Patch0209: e1000-switch-to-use-qemu_receive_packet-for-loopback.patch +Patch0210: dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch +Patch0211: sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch +Patch0212: tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch +Patch0213: rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch +Patch0214: pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch +Patch0215: cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch +Patch0216: lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch BuildRequires: flex BuildRequires: bison @@ -562,6 +571,17 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri May 14 2021 Chen Qun +- net: introduce qemu_receive_packet() +- e1000: switch to use qemu_receive_packet() for loopback +- dp8393x: switch to use qemu_receive_packet() for loopback packet +- sungem: switch to use qemu_receive_packet() for loopback +- tx_pkt: switch to use qemu_receive_packet_iov() for loopback +- rtl8139: switch to use qemu_receive_packet() for loopback +- pcnet: switch to use qemu_receive_packet() for loopback +- cadence_gem: switch to use qemu_receive_packet() for loopback +- lan9118: switch to use qemu_receive_packet() for loopback + * Tue May 11 2021 Chen Qun - hw/sd: sdhci: Don't transfer any data when command time out - hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress diff --git a/rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch b/rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae73d796041e9df19ce24b3fb492002cbc15649d --- /dev/null +++ b/rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,43 @@ +From 59d7f4628ecd02197c95a20621da45e878a534b4 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Fri, 14 May 2021 10:35:11 +0800 +Subject: [PATCH] rtl8139: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 09273171e5..79584fbb17 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -1792,7 +1792,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, + } + + DPRINTF("+++ transmit loopback mode\n"); +- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); ++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); + + if (iov) { + g_free(buf2); +-- +2.27.0 + diff --git a/sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch b/sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch new file mode 100644 index 0000000000000000000000000000000000000000..2298f4fcd2708c477a8d397e64bf360108d8bbd1 --- /dev/null +++ b/sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch @@ -0,0 +1,43 @@ +From 190240b98713e1180a92c62a2899cf4406c642ac Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 14 May 2021 10:30:23 +0800 +Subject: [PATCH] sungem: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Mark Cave-Ayland +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/sungem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/sungem.c b/hw/net/sungem.c +index 89bcf749d1..37b62f62b8 100644 +--- a/hw/net/sungem.c ++++ b/hw/net/sungem.c +@@ -303,7 +303,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, + NetClientState *nc = qemu_get_queue(s->nic); + + if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.27.0 + diff --git a/tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch b/tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9e4b24cb6288a062886b6656795ffff3a47daca --- /dev/null +++ b/tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch @@ -0,0 +1,41 @@ +From 02385fb3cf35d2b768af341cc8a33a168e15c22c Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 14 May 2021 10:32:24 +0800 +Subject: [PATCH] tx_pkt: switch to use qemu_receive_packet_iov() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3416 + +This patch switches to use qemu_receive_receive_iov() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: Jiajie Li +--- + hw/net/net_tx_pkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 54d4c3bbd0..646cdfaf4d 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, + NetClientState *nc, const struct iovec *iov, int iov_cnt) + { + if (pkt->is_loopback) { +- nc->info->receive_iov(nc, iov, iov_cnt); ++ qemu_receive_packet_iov(nc, iov, iov_cnt); + } else { + qemu_sendv_packet(nc, iov, iov_cnt); + } +-- +2.27.0 +