qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Jason Wang <jasowang@redhat.com>,
	qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL for-2.4 1/7] rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Date: Mon,  3 Aug 2015 13:08:35 +0100	[thread overview]
Message-ID: <1438603721-28320-2-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1438603721-28320-1-git-send-email-stefanha@redhat.com>

Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/net/rtl8139.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index e0db472..8731a30 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
             size_t   eth_payload_len  = 0;
 
             int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
-            if (proto == ETH_P_IP)
+            if (proto != ETH_P_IP)
             {
-                DPRINTF("+++ C+ mode has IP packet\n");
+                goto skip_offload;
+            }
+
+            DPRINTF("+++ C+ mode has IP packet\n");
 
-                /* not aligned */
-                eth_payload_data = saved_buffer + ETH_HLEN;
-                eth_payload_len  = saved_size   - ETH_HLEN;
+            /* not aligned */
+            eth_payload_data = saved_buffer + ETH_HLEN;
+            eth_payload_len  = saved_size   - ETH_HLEN;
 
-                ip = (ip_header*)eth_payload_data;
+            ip = (ip_header*)eth_payload_data;
 
-                if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
-                    DPRINTF("+++ C+ mode packet has bad IP version %d "
-                        "expected %d\n", IP_HEADER_VERSION(ip),
-                        IP_HEADER_VERSION_4);
-                    ip = NULL;
-                } else {
-                    hlen = IP_HEADER_LENGTH(ip);
-                    ip_protocol = ip->ip_p;
-                    ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
-                }
+            if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+                DPRINTF("+++ C+ mode packet has bad IP version %d "
+                    "expected %d\n", IP_HEADER_VERSION(ip),
+                    IP_HEADER_VERSION_4);
+                goto skip_offload;
             }
 
+            hlen = IP_HEADER_LENGTH(ip);
+            ip_protocol = ip->ip_p;
+            ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
             if (ip)
             {
                 if (txdw0 & CP_TX_IPCS)
@@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
             }
         }
 
+skip_offload:
         /* update tally counter */
         ++s->tally_counters.TxOk;
 
-- 
2.4.3

  reply	other threads:[~2015-08-03 12:08 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-03 12:08 [Qemu-devel] [PULL for-2.4 0/7] Rtl8139 cplus tx input validation patches Stefan Hajnoczi
2015-08-03 12:08 ` Stefan Hajnoczi [this message]
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 2/7] rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165) Stefan Hajnoczi
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 3/7] rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165) Stefan Hajnoczi
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 4/7] rtl8139: check IP Header Length field (CVE-2015-5165) Stefan Hajnoczi
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 5/7] rtl8139: check IP Total " Stefan Hajnoczi
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 6/7] rtl8139: skip offload on short TCP header (CVE-2015-5165) Stefan Hajnoczi
2015-08-03 12:08 ` [Qemu-devel] [PULL for-2.4 7/7] rtl8139: check TCP Data Offset field (CVE-2015-5165) Stefan Hajnoczi
2015-08-03 13:08 ` [Qemu-devel] [PULL for-2.4 0/7] Rtl8139 cplus tx input validation patches Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1438603721-28320-2-git-send-email-stefanha@redhat.com \
    --to=stefanha@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).