[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 06/25] net: vmxnet: check IP header length
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 06/25] net: vmxnet: check IP header length |
Date: |
Tue, 20 Sep 2016 12:05:22 -0500 |
From: Li Qiang <address@hidden>
Vmxnet3 device emulator when parsing packet headers does not check
for IP header length. It could lead to a OOB access when reading
further packet data. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/vmxnet_tx_pkt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index f4d0f5f..5ba2f5e 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -178,6 +178,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt
*pkt)
}
l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
+ if(l3_hdr->iov_len < sizeof(struct ip_header))
+ {
+ l3_hdr->iov_len = 0;
+ return false;
+ }
pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
/* copy optional IPv4 header data */
--
1.9.1
- [Qemu-devel] [PATCH 17/25] qemu-char: avoid segfault if user lacks of permisson of a given logfile, (continued)
- [Qemu-devel] [PATCH 17/25] qemu-char: avoid segfault if user lacks of permisson of a given logfile, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 20/25] scsi: mptconfig: fix an assert expression, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 02/25] ui: fix refresh of VNC server surface, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 19/25] vmw_pvscsi: check page count while initialising descriptor rings, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 03/25] virtio: recalculate vq->inuse after migration, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 21/25] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 24/25] scsi-disk: Cleaning up around tray open state, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 08/25] 9pfs: forbid illegal path names, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 07/25] net: vmxnet: use g_new for pkt initialisation, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 04/25] virtio: decrement vq->inuse in virtqueue_discard(), Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 06/25] net: vmxnet: check IP header length,
Michael Roth <=
- [Qemu-devel] [PATCH 25/25] virtio-scsi: Don't abort when media is ejected, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 23/25] iothread: Stop threads before main() quits, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 05/25] iscsi: pass SCSI status back for SG_IO, Michael Roth, 2016/09/20
- [Qemu-devel] [PATCH 01/25] net: check fragment length during fragmentation, Michael Roth, 2016/09/20
- Re: [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26, Eric Blake, 2016/09/20
- Re: [Qemu-devel] [Qemu-stable] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26, Michael Roth, 2016/09/20
- Re: [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26, John Snow, 2016/09/22