[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 26/51] hw/net/net_tx_pkt: Check the payload length
|
From: |
Jason Wang |
|
Subject: |
[PULL 26/51] hw/net/net_tx_pkt: Check the payload length |
|
Date: |
Tue, 7 Mar 2023 15:07:51 +0800 |
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Check the payload length if checksumming to ensure the payload contains
the space for the resulting value.
This bug was found by Alexander Bulekov with the fuzzer:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc
Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/net_tx_pkt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 4a35e84..986a3ad 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool
tso_enable,
if (csum_enable) {
switch (pkt->l4proto) {
case IP_PROTO_TCP:
+ if (pkt->payload_len < sizeof(struct tcp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum);
break;
case IP_PROTO_UDP:
+ if (pkt->payload_len < sizeof(struct udp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum);
--
2.7.4
- [PULL 17/51] e1000e: Set MII_ANER_NWAY, (continued)
- [PULL 17/51] e1000e: Set MII_ANER_NWAY, Jason Wang, 2023/03/07
- [PULL 18/51] e1000e: Remove extra pointer indirection, Jason Wang, 2023/03/07
- [PULL 19/51] net: Check L4 header size, Jason Wang, 2023/03/07
- [PULL 20/51] e1000x: Alter the signature of e1000x_is_vlan_packet, Jason Wang, 2023/03/07
- [PULL 21/51] net: Strip virtio-net header when dumping, Jason Wang, 2023/03/07
- [PULL 22/51] hw/net/net_tx_pkt: Automatically determine if virtio-net header is used, Jason Wang, 2023/03/07
- [PULL 23/51] hw/net/net_rx_pkt: Remove net_rx_pkt_has_virt_hdr, Jason Wang, 2023/03/07
- [PULL 24/51] e1000e: Perform software segmentation for loopback, Jason Wang, 2023/03/07
- [PULL 27/51] e1000e: Do not assert when MSI-X is disabled later, Jason Wang, 2023/03/07
- [PULL 25/51] hw/net/net_tx_pkt: Implement TCP segmentation, Jason Wang, 2023/03/07
- [PULL 26/51] hw/net/net_tx_pkt: Check the payload length,
Jason Wang <=
- [PULL 28/51] MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer, Jason Wang, 2023/03/07
- [PULL 29/51] MAINTAINERS: Add e1000e test files, Jason Wang, 2023/03/07
- [PULL 30/51] e1000e: Combine rx traces, Jason Wang, 2023/03/07
- [PULL 31/51] e1000: Count CRC in Tx statistics, Jason Wang, 2023/03/07
- [PULL 32/51] e1000e: Count CRC in Tx statistics, Jason Wang, 2023/03/07
- [PULL 37/51] e1000: Split header files, Jason Wang, 2023/03/07
- [PULL 34/51] e1000e: Implement system clock, Jason Wang, 2023/03/07
- [PULL 33/51] net/eth: Report if headers are actually present, Jason Wang, 2023/03/07
- [PULL 36/51] pcie: Introduce pcie_sriov_num_vfs, Jason Wang, 2023/03/07
- [PULL 39/51] tests/qtest/e1000e-test: Fabricate ethernet header, Jason Wang, 2023/03/07