From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53334) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZMEY0-0002PN-HB for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:08:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZMEXt-00088I-Uw for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:08:52 -0400 From: Stefan Hajnoczi Date: Mon, 3 Aug 2015 13:08:35 +0100 Message-Id: <1438603721-28320-2-git-send-email-stefanha@redhat.com> In-Reply-To: <1438603721-28320-1-git-send-email-stefanha@redhat.com> References: <1438603721-28320-1-git-send-email-stefanha@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PULL for-2.4 1/7] rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , Jason Wang , qemu-stable@nongnu.org, Stefan Hajnoczi Transmit offload needs to parse packet headers. If header fields have unexpected values the offload processing is skipped. The code currently uses nested ifs because there is relatively little input validation. The next patches will add missing input validation and a goto label is more appropriate to avoid deep if statement nesting. Reported-by: =E6=9C=B1=E4=B8=9C=E6=B5=B7(=E5=90=AF=E8=B7=AF) Reviewed-by: Jason Wang Signed-off-by: Stefan Hajnoczi --- hw/net/rtl8139.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index e0db472..8731a30 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139Stat= e *s) size_t eth_payload_len =3D 0; =20 int proto =3D be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - if (proto =3D=3D ETH_P_IP) + if (proto !=3D ETH_P_IP) { - DPRINTF("+++ C+ mode has IP packet\n"); + goto skip_offload; + } + + DPRINTF("+++ C+ mode has IP packet\n"); =20 - /* not aligned */ - eth_payload_data =3D saved_buffer + ETH_HLEN; - eth_payload_len =3D saved_size - ETH_HLEN; + /* not aligned */ + eth_payload_data =3D saved_buffer + ETH_HLEN; + eth_payload_len =3D saved_size - ETH_HLEN; =20 - ip =3D (ip_header*)eth_payload_data; + ip =3D (ip_header*)eth_payload_data; =20 - if (IP_HEADER_VERSION(ip) !=3D IP_HEADER_VERSION_4) { - DPRINTF("+++ C+ mode packet has bad IP version %d " - "expected %d\n", IP_HEADER_VERSION(ip), - IP_HEADER_VERSION_4); - ip =3D NULL; - } else { - hlen =3D IP_HEADER_LENGTH(ip); - ip_protocol =3D ip->ip_p; - ip_data_len =3D be16_to_cpu(ip->ip_len) - hlen; - } + if (IP_HEADER_VERSION(ip) !=3D IP_HEADER_VERSION_4) { + DPRINTF("+++ C+ mode packet has bad IP version %d " + "expected %d\n", IP_HEADER_VERSION(ip), + IP_HEADER_VERSION_4); + goto skip_offload; } =20 + hlen =3D IP_HEADER_LENGTH(ip); + ip_protocol =3D ip->ip_p; + ip_data_len =3D be16_to_cpu(ip->ip_len) - hlen; + if (ip) { if (txdw0 & CP_TX_IPCS) @@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State = *s) } } =20 +skip_offload: /* update tally counter */ ++s->tally_counters.TxOk; =20 --=20 2.4.3