From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org
Cc: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
Lei Yang <leiyang@redhat.com>, Jason Wang <jasowang@redhat.com>
Subject: [PULL 01/12] net/tap: drop too small packets
Date: Mon, 21 Jul 2025 13:59:16 +0800 [thread overview]
Message-ID: <20250721055927.75951-2-jasowang@redhat.com> (raw)
In-Reply-To: <20250721055927.75951-1-jasowang@redhat.com>
From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Theoretically tap_read_packet() may return size less than
s->host_vnet_hdr_len, and next, we'll work with negative size
(in case of !s->using_vnet_hdr). Let's avoid it.
Don't proceed with size == s->host_vnet_hdr_len as well in case
of !s->using_vnet_hdr, it doesn't make sense.
Tested-by: Lei Yang <leiyang@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
net/tap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/tap.c b/net/tap.c
index 23536c09b4..2a85936019 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -190,6 +190,11 @@ static void tap_send(void *opaque)
break;
}
+ if (s->host_vnet_hdr_len && size <= s->host_vnet_hdr_len) {
+ /* Invalid packet */
+ break;
+ }
+
if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
buf += s->host_vnet_hdr_len;
size -= s->host_vnet_hdr_len;
--
2.42.0
next prev parent reply other threads:[~2025-07-21 6:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-21 5:59 [PULL 00/12] Net patches Jason Wang
2025-07-21 5:59 ` Jason Wang [this message]
2025-07-21 5:59 ` [PULL 02/12] tap: fix net_init_tap() return code Jason Wang
2025-07-21 5:59 ` [PULL 03/12] hw/net/npcm_gmac.c: Send the right data for second packet in a row Jason Wang
2025-07-21 5:59 ` [PULL 04/12] hw/net/npcm_gmac.c: Unify length and prev_buf_size variables Jason Wang
2025-07-21 5:59 ` [PULL 05/12] hw/net/npcm_gmac.c: Correct test for when to reallocate packet buffer Jason Wang
2025-07-21 5:59 ` [PULL 06/12] hw/net/npcm_gmac.c: Drop 'buf' local variable Jason Wang
2025-07-21 5:59 ` [PULL 07/12] net/passt: Remove unused "err" from passt_vhost_user_event() (CID 1612375) Jason Wang
2025-07-21 5:59 ` [PULL 08/12] net/vhost-user: Remove unused "err" from net_vhost_user_event() (CID 1612372) Jason Wang
2025-07-21 5:59 ` [PULL 09/12] net/passt: Remove dead code in passt_vhost_user_start error path (CID 1612371) Jason Wang
2025-07-21 5:59 ` [PULL 10/12] net/passt: Check return value of g_remove() in net_passt_cleanup() (CID 1612369) Jason Wang
2025-07-21 5:59 ` [PULL 11/12] net/passt: Initialize "error" variable in net_passt_send() (CID 1612368) Jason Wang
2025-07-21 5:59 ` [PULL 12/12] net/vhost-user: Remove unused "err" from chr_closed_bh() (CID 1612365) Jason Wang
2025-07-21 13:59 ` [PULL 00/12] Net patches Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250721055927.75951-2-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=leiyang@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.