qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] net: check payload length limit for all frames

From: P J P
Subject: [PATCH] net: check payload length limit for all frames
Date: Fri, 17 Jul 2020 00:53:35 +0530 
From: Prasad J Pandit <pjp@fedoraproject.org>

While sending packets, the check that packet 'payload_len'
is within 64kB limit, seems to happen only for GSO frames.
It may lead to use-after-free or out-of-bounds access like
issues when sending non-GSO frames. Check the 'payload_len'
limit for all packets, irrespective of the gso type.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/net_tx_pkt.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 162f802dd7..e66998a8f9 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -607,12 +607,10 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, NetClientState 
*nc)
      * Since underlying infrastructure does not support IP datagrams longer
      * than 64K we should drop such packets and don't even try to send
      */
-    if (VIRTIO_NET_HDR_GSO_NONE != pkt->virt_hdr.gso_type) {
-        if (pkt->payload_len >
-            ETH_MAX_IP_DGRAM_LEN -
-            pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
-            return false;
-        }
+    if (pkt->payload_len >
+        ETH_MAX_IP_DGRAM_LEN -
+        pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
+        return false;
     }
 
     if (pkt->has_virt_hdr ||
-- 
2.26.2
reply via email to
[Prev in Thread] Current Thread [Next in Thread]