[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN heade
|
From: |
Michael Roth |
|
Subject: |
[Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN header stripping |
|
Date: |
Mon, 20 Mar 2017 18:08:38 -0500 |
From: Dmitry Fleytman <address@hidden>
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: address@hidden
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 1019b50..7c0beac 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@
struct NetRxPkt {
struct virtio_net_hdr virt_hdr;
- uint8_t ehdr_buf[sizeof(struct eth_header)];
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec;
uint16_t vec_len_total;
uint16_t vec_len;
uint32_t tot_len;
uint16_t tci;
- bool vlan_stripped;
+ size_t ehdr_buf_len;
bool has_virt_hdr;
eth_pkt_types_e packet_type;
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt,
size_t ploff)
{
- if (pkt->vlan_stripped) {
+ if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf;
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
-
- pkt->tot_len =
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len);
} else {
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
- pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
+ pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
NetRxPkt *pkt = (NetRxPkt *)pkt;
assert(pkt);
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif
}
@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{
assert(pkt);
- return pkt->vlan_stripped;
+ return pkt->ehdr_buf_len ? true : false;
}
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--
2.7.4
- [Qemu-devel] [PATCH 41/81] ui/gtk: fix crash at startup when no console is available, (continued)
- [Qemu-devel] [PATCH 41/81] ui/gtk: fix crash at startup when no console is available, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 44/81] qemu-thread: fix qemu_thread_set_name() race in qemu_thread_create(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 49/81] char: fix ctrl-a b not working, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 51/81] tcg/aarch64: Fix tcg_out_movi, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 52/81] ui: use evdev keymap when running under wayland, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 70/81] qga: ignore EBUSY when freezing a filesystem, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 75/81] NetRxPkt: Do not try to pull more data than present, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 06/81] 9pfs: local: open/opendir: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 59/81] target/s390x: use "qemu" cpu model in user mode, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN header stripping,
Michael Roth <=
- [Qemu-devel] [PATCH 69/81] target-i386: correctly propagate retaddr into SVM helpers, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 08/81] 9pfs: local: llistxattr: don't follow symlinks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 61/81] block/nfs: fix NULL pointer dereference in URI parsing, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 05/81] 9pfs: local: keep a file descriptor on the shared folder, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 64/81] vnc: do not disconnect on EAGAIN, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 63/81] sd: sdhci: check data length during dma_memory_read, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 76/81] NetRxPkt: Account buffer with ETH header in IOV length, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 66/81] block/vmdk: Fix the endian problem of buf_len and lba, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 73/81] eth: Extend vlan stripping functions, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 77/81] e1000e: correctly tear down MSI-X memory regions, Michael Roth, 2017/03/20