Re: [Qemu-devel] [PATCH] net: check packet payload length

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>, Markus Armbruster <armbru@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>, Liu Ling <liuling-it@360.cn>
Subject: Re: [Qemu-devel] [PATCH] net: check packet payload length
Date: Tue, 23 Feb 2016 15:57:25 +0800	[thread overview]
Message-ID: <56CC10E5.6010902@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1602181548400.23443@wniryva>



On 02/18/2016 06:33 PM, P J P wrote:
>   Hello Markus,
>
> +-- On Thu, 18 Feb 2016, Markus Armbruster wrote --+
> | 
> |           if ((data[14] & 0xf0) != 0x40)
> | Buffer overrun when length <= 14.
> | 
> |           proto = data[23];
> | Buffer overrun when length <= 23.
> | 
> | I think we should check that we got at least an IPv4 header without
> | options (length >= 14 + 20) before accessing said header.
>
>   Right. Some callers do have checks in place to ensure length is >= minium 
> packet length. Still it'll help to add an assert(length >= 14+20);

Let's avoid adding assert() here since it could be triggered by guest.

>
> |     /*
> |      * Compute and store checksum of IPv4 TCP or UDP packet.
> |      * @data holds @length bytes.  It must be a complete packet.
> |      * If this is an IPv4 TCP packet, compute its checksum and store it
> |      * in the TCP header.
> |      * Else if this is a complete IPv4 UDP packet, compute its checksum
> |      * and store it in the UDP header.
> |      * Else do nothing.
> |      */
> |     void net_checksum_calculate(uint8_t *data, int length)
> | 
> | I find it simpler.
> | 
> | If the other buffer overrun I mentioned above needs fixing: yes.
> | Else: depends on the maintainer.
>
>   Okay, I'll wait for Jason's inputs and will send a revised patch including 
> your suggestions above.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

I think you need audit all the callers to see if the issue mentioned by
Markus existed first.

next prev parent reply	other threads:[~2016-02-23  7:57 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-17 12:08 [Qemu-devel] [PATCH] net: check packet payload length P J P
2016-02-17 12:57 ` Markus Armbruster
2016-02-17 18:50   ` P J P
2016-02-18  7:42     ` P J P
2016-02-18  9:31     ` Markus Armbruster
2016-02-18 10:33       ` P J P
2016-02-23  7:57         ` Jason Wang [this message]
2016-02-23 11:11           ` P J P
2016-02-24  3:03             ` Jason Wang
2016-02-24  4:37               ` P J P

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56CC10E5.6010902@redhat.com \
    --to=jasowang@redhat.com \
    --cc=armbru@redhat.com \
    --cc=liuling-it@360.cn \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.