[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v5 18/29] net: Check L4 header size
From: |
Akihiko Odaki |
Subject: |
[PATCH v5 18/29] net: Check L4 header size |
Date: |
Wed, 1 Feb 2023 12:35:28 +0900 |
net_tx_pkt_build_vheader() inspects TCP header but had no check for
the header size, resulting in an undefined behavior. Check the header
size and drop the packet if the header is too small.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
hw/net/e1000e_core.c | 19 ++++++++++++++-----
hw/net/net_tx_pkt.c | 13 ++++++++++---
hw/net/net_tx_pkt.h | 3 ++-
hw/net/vmxnet3.c | 14 +++++++-------
4 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index d143f2ae6f..38d374fba3 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -629,23 +629,30 @@ e1000e_rss_parse_packet(E1000ECore *core,
info->queue = E1000_RSS_QUEUE(&core->mac[RETA], info->hash);
}
-static void
+static bool
e1000e_setup_tx_offloads(E1000ECore *core, struct e1000e_tx *tx)
{
if (tx->props.tse && tx->cptse) {
- net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss);
+ if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss)) {
+ return false;
+ }
+
net_tx_pkt_update_ip_checksums(tx->tx_pkt);
e1000x_inc_reg_if_not_full(core->mac, TSCTC);
- return;
+ return true;
}
if (tx->sum_needed & E1000_TXD_POPTS_TXSM) {
- net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0);
+ if (!net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0)) {
+ return false;
+ }
}
if (tx->sum_needed & E1000_TXD_POPTS_IXSM) {
net_tx_pkt_update_ip_hdr_checksum(tx->tx_pkt);
}
+
+ return true;
}
static bool
@@ -654,7 +661,9 @@ e1000e_tx_pkt_send(E1000ECore *core, struct e1000e_tx *tx,
int queue_index)
int target_queue = MIN(core->max_queue_num, queue_index);
NetClientState *queue = qemu_get_subqueue(core->owner_nic, target_queue);
- e1000e_setup_tx_offloads(core, tx);
+ if (!e1000e_setup_tx_offloads(core, tx)) {
+ return false;
+ }
net_tx_pkt_dump(tx->tx_pkt);
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 2533ea2700..8a23899a4d 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -304,10 +304,11 @@ func_exit:
return rc;
}
-void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
+bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
bool csum_enable, uint32_t gso_size)
{
struct tcp_hdr l4hdr;
+ size_t bytes_read;
assert(pkt);
/* csum has to be enabled if tso is. */
@@ -328,8 +329,12 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool
tso_enable,
case VIRTIO_NET_HDR_GSO_TCPV4:
case VIRTIO_NET_HDR_GSO_TCPV6:
- iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], pkt->payload_frags,
- 0, &l4hdr, sizeof(l4hdr));
+ bytes_read = iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG],
+ pkt->payload_frags, 0, &l4hdr, sizeof(l4hdr));
+ if (bytes_read < sizeof(l4hdr)) {
+ return false;
+ }
+
pkt->virt_hdr.hdr_len = pkt->hdr_len + l4hdr.th_off * sizeof(uint32_t);
pkt->virt_hdr.gso_size = gso_size;
break;
@@ -354,6 +359,8 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool
tso_enable,
break;
}
}
+
+ return true;
}
void net_tx_pkt_setup_vlan_header_ex(struct NetTxPkt *pkt,
diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h
index 4ec8bbe9bd..2e38a5fa69 100644
--- a/hw/net/net_tx_pkt.h
+++ b/hw/net/net_tx_pkt.h
@@ -59,9 +59,10 @@ struct virtio_net_hdr *net_tx_pkt_get_vhdr(struct NetTxPkt
*pkt);
* @tso_enable: TSO enabled
* @csum_enable: CSO enabled
* @gso_size: MSS size for TSO
+ * @ret: operation result
*
*/
-void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
+bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
bool csum_enable, uint32_t gso_size);
/**
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index d2ab527ef4..c63bbb59bd 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -440,19 +440,19 @@ vmxnet3_setup_tx_offloads(VMXNET3State *s)
{
switch (s->offload_mode) {
case VMXNET3_OM_NONE:
- net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0);
- break;
+ return net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0);
case VMXNET3_OM_CSUM:
- net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0);
VMW_PKPRN("L4 CSO requested\n");
- break;
+ return net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0);
case VMXNET3_OM_TSO:
- net_tx_pkt_build_vheader(s->tx_pkt, true, true,
- s->cso_or_gso_size);
- net_tx_pkt_update_ip_checksums(s->tx_pkt);
VMW_PKPRN("GSO offload requested.");
+ if (!net_tx_pkt_build_vheader(s->tx_pkt, true, true,
+ s->cso_or_gso_size)) {
+ return false;
+ }
+ net_tx_pkt_update_ip_checksums(s->tx_pkt);
break;
default:
--
2.39.1
- [PATCH v5 09/29] e1000: Use memcpy to intialize registers, (continued)
- [PATCH v5 09/29] e1000: Use memcpy to intialize registers, Akihiko Odaki, 2023/01/31
- [PATCH v5 05/29] e1000: Mask registers when writing, Akihiko Odaki, 2023/01/31
- [PATCH v5 10/29] e1000e: Use memcpy to intialize registers, Akihiko Odaki, 2023/01/31
- [PATCH v5 11/29] e1000e: Remove pending interrupt flags, Akihiko Odaki, 2023/01/31
- [PATCH v5 12/29] e1000e: Improve software reset, Akihiko Odaki, 2023/01/31
- [PATCH v5 13/29] e1000: Configure ResettableClass, Akihiko Odaki, 2023/01/31
- [PATCH v5 14/29] e1000e: Configure ResettableClass, Akihiko Odaki, 2023/01/31
- [PATCH v5 15/29] e1000e: Introduce e1000_rx_desc_union, Akihiko Odaki, 2023/01/31
- [PATCH v5 16/29] e1000e: Set MII_ANER_NWAY, Akihiko Odaki, 2023/01/31
- [PATCH v5 17/29] e1000e: Remove extra pointer indirection, Akihiko Odaki, 2023/01/31
- [PATCH v5 18/29] net: Check L4 header size,
Akihiko Odaki <=
- [PATCH v5 19/29] e1000x: Alter the signature of e1000x_is_vlan_packet, Akihiko Odaki, 2023/01/31
- [PATCH v5 20/29] net: Strip virtio-net header when dumping, Akihiko Odaki, 2023/01/31
- [PATCH v5 21/29] hw/net/net_tx_pkt: Automatically determine if virtio-net header is used, Akihiko Odaki, 2023/01/31
- [PATCH v5 22/29] hw/net/net_rx_pkt: Remove net_rx_pkt_has_virt_hdr, Akihiko Odaki, 2023/01/31
- [PATCH v5 23/29] e1000e: Perform software segmentation for loopback, Akihiko Odaki, 2023/01/31
- [PATCH v5 25/29] hw/net/net_tx_pkt: Check the payload length, Akihiko Odaki, 2023/01/31
- [PATCH v5 27/29] MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer, Akihiko Odaki, 2023/01/31
- [PATCH v5 24/29] hw/net/net_tx_pkt: Implement TCP segmentation, Akihiko Odaki, 2023/01/31
- [PATCH v5 26/29] e1000e: Do not assert when MSI-X is disabled later, Akihiko Odaki, 2023/01/31
- [PATCH v5 28/29] MAINTAINERS: Add e1000e test files, Akihiko Odaki, 2023/01/31