From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53374)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1ZMEY3-0002Tz-Hx
	for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:08:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1ZMEXz-0008Mq-Kl
	for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:08:55 -0400
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Mon,  3 Aug 2015 13:08:38 +0100
Message-Id: <1438603721-28320-5-git-send-email-stefanha@redhat.com>
In-Reply-To: <1438603721-28320-1-git-send-email-stefanha@redhat.com>
References: <1438603721-28320-1-git-send-email-stefanha@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL for-2.4 4/7] rtl8139: check IP Header Length
	field (CVE-2015-5165)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, Jason Wang <jasowang@redhat.com>, qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>

The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.

Reported-by: =E6=9C=B1=E4=B8=9C=E6=B5=B7(=E5=90=AF=E8=B7=AF) <donghai.zdh=
@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/net/rtl8139.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 1c62076..4eaa352 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2186,6 +2186,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State=
 *s)
             }
=20
             hlen =3D IP_HEADER_LENGTH(ip);
+            if (hlen < sizeof(ip_header) || hlen > eth_payload_len) {
+                goto skip_offload;
+            }
+
             ip_protocol =3D ip->ip_p;
             ip_data_len =3D be16_to_cpu(ip->ip_len) - hlen;
=20
@@ -2193,17 +2197,10 @@ static int rtl8139_cplus_transmit_one(RTL8139Stat=
e *s)
             {
                 DPRINTF("+++ C+ mode need IP checksum\n");
=20
-                if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* =
min header length */
-                    /* bad packet header len */
-                    /* or packet too short */
-                }
-                else
-                {
-                    ip->ip_sum =3D 0;
-                    ip->ip_sum =3D ip_checksum(ip, hlen);
-                    DPRINTF("+++ C+ mode IP header len=3D%d checksum=3D%=
04x\n",
-                        hlen, ip->ip_sum);
-                }
+                ip->ip_sum =3D 0;
+                ip->ip_sum =3D ip_checksum(ip, hlen);
+                DPRINTF("+++ C+ mode IP header len=3D%d checksum=3D%04x\=
n",
+                    hlen, ip->ip_sum);
             }
=20
             if ((txdw0 & CP_TX_LGSEN) && ip_protocol =3D=3D IP_PROTO_TCP=
)
--=20
2.4.3