From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Markus Armbruster <armbru@redhat.com>,
Liu Ling <liuling-it@360.cn>
Subject: Re: [Qemu-devel] [PATCH] net: check packet payload length
Date: Wed, 24 Feb 2016 11:03:47 +0800 [thread overview]
Message-ID: <56CD1D93.2010708@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1602231621480.31193@wniryva>
On 02/23/2016 07:11 PM, P J P wrote:
> Hello Jason,
>
> +-- On Tue, 23 Feb 2016, Jason Wang wrote --+
> | Let's avoid adding assert() here since it could be triggered by guest.
>
> Okay.
>
> | I think you need audit all the callers to see if the issue mentioned by
> | Markus existed first.
>
> Yes, I did. As mentioned earlier, some have check for minimum packet size,
> others check for length > 0.
>
> net_checksum_calculate is called as:
>
> - hw/net/cadence_gem.c
> if (tx_desc_get_length(desc) == 0))
> DB_PRINT("Invalid TX descriptor @ 0x%x\n",
> }
> total_bytes += tx_desc_get_length(desc);
> net_checksum_calculate(tx_packet, total_bytes);
>
> - hw/net/fsl_etsec/rings.c
> if (etsec->tx_buffer_len != 0
> net_checksum_calculate(etsec->tx_buffer + 8,
> etsec->tx_buffer_len - 8);
>
> - hw/net/virtio-net.c
> if (size > 27 && size < 1500) &&
> (buf[34] == 0 && buf[35] == 67)) {
Are we sure size of buf is >= 35 here?
> net_checksum_calculate(buf, size);
>
> - hw/net/xen_nic.c
> if (txreq.size < 14) {
> xen_be_printf(&netdev->xendev, 0, "bad packet size:
> }
> net_checksum_calculate(tmpbuf, txreq.size);
>
> It might be possible to send a packet with (length < 14+20), and cause an OOB
> read in net_checksum_calculate,
>
> if ((data[14] & 0xf0) != 0x40)
> return; /* not IPv4 */
> hlen = (data[14] & 0x0f) * 4;
> plen = (data[16] << 8 | data[17]) - hlen;
> proto = data[23];
>
> I'll send a revised patch with a check for minimum 'data' length to include
> complete layer-2(14) + layer-3(20) headers.
>
> + if (len < 14+20)
> + return;
>
>
> Thank you.
Ok.
> --
> - P J P
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
next prev parent reply other threads:[~2016-02-24 3:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 12:08 [Qemu-devel] [PATCH] net: check packet payload length P J P
2016-02-17 12:57 ` Markus Armbruster
2016-02-17 18:50 ` P J P
2016-02-18 7:42 ` P J P
2016-02-18 9:31 ` Markus Armbruster
2016-02-18 10:33 ` P J P
2016-02-23 7:57 ` Jason Wang
2016-02-23 11:11 ` P J P
2016-02-24 3:03 ` Jason Wang [this message]
2016-02-24 4:37 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56CD1D93.2010708@redhat.com \
--to=jasowang@redhat.com \
--cc=armbru@redhat.com \
--cc=liuling-it@360.cn \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.