From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>, Qemu Developers <qemu-devel@nongnu.org>
Cc: Liu Ling <liuling-it@360.cn>,
Prasad J Pandit <pjp@fedoraproject.org>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 1/2] net: check packet payload length
Date: Fri, 26 Feb 2016 14:10:33 +0800 [thread overview]
Message-ID: <56CFEC59.8040503@redhat.com> (raw)
In-Reply-To: <1456243707-29345-2-git-send-email-ppandit@redhat.com>
On 02/24/2016 12:08 AM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While computing IP checksum, 'net_checksum_calculate' reads
> payload length from the packet. It could exceed the given 'data'
> buffer size. Add a check to avoid it.
>
> Reported-by: Liu Ling <liuling-it@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> net/checksum.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> Update as per review:
> -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg04062.html
>
> diff --git a/net/checksum.c b/net/checksum.c
> index 14c0855..bd89083 100644
> --- a/net/checksum.c
> +++ b/net/checksum.c
> @@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
> int hlen, plen, proto, csum_offset;
> uint16_t csum;
>
I must say this is still far from perfect, since it has too assumptions
. But I agree we can fix OOB first.
> + /* Ensure data has complete L2 & L3 headers. */
> + if (length < 14 + 20) {
> + return;
> + }
> +
> if ((data[14] & 0xf0) != 0x40)
> return; /* not IPv4 */
> hlen = (data[14] & 0x0f) * 4;
> @@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
> return;
> }
>
> - if (plen < csum_offset+2)
> - return;
> + if (plen < csum_offset + 2 || plen + hlen >= length) {
> + return;
> + }
Should we count mac header here? Did "plen + hlen >= length" imply "14 +
hlen + csum_offset + 1" < length?
Looks not. Consider a TCP packet can report evil plen (e.g 20) but just
have 10 bytes payload in fact. In this case:
hlen = 20, plen = 20, csum_offset = 16, length = 44 which can pass all
the above tests, but 14 + hlen + csum_offset = 50 which is greater than
length.
>
> data[14+hlen+csum_offset] = 0;
> data[14+hlen+csum_offset+1] = 0;
next prev parent reply other threads:[~2016-02-26 6:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-23 16:08 [Qemu-devel] [PATCH v2 0/2] net: check payload length and minor updates P J P
2016-02-23 16:08 ` [Qemu-devel] [PATCH v2 1/2] net: check packet payload length P J P
2016-02-26 6:10 ` Jason Wang [this message]
2016-03-01 6:48 ` P J P
2016-03-02 3:21 ` Jason Wang
2016-03-02 12:01 ` P J P
2016-02-23 16:08 ` [Qemu-devel] [PATCH v2 2/2] net: minor indentation updates P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56CFEC59.8040503@redhat.com \
--to=jasowang@redhat.com \
--cc=armbru@redhat.com \
--cc=liuling-it@360.cn \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.