From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53439) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZMEY8-0002dj-Ov for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:09:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZMEY4-0008U3-SO for qemu-devel@nongnu.org; Mon, 03 Aug 2015 08:09:00 -0400 From: Stefan Hajnoczi Date: Mon, 3 Aug 2015 13:08:41 +0100 Message-Id: <1438603721-28320-8-git-send-email-stefanha@redhat.com> In-Reply-To: <1438603721-28320-1-git-send-email-stefanha@redhat.com> References: <1438603721-28320-1-git-send-email-stefanha@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PULL for-2.4 7/7] rtl8139: check TCP Data Offset field (CVE-2015-5165) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Peter Maydell , Jason Wang , qemu-stable@nongnu.org, Stefan Hajnoczi The TCP Data Offset field contains the length of the header. Make sure it is valid and does not exceed the IP data length. Reported-by: =E6=9C=B1=E4=B8=9C=E6=B5=B7(=E5=90=AF=E8=B7=AF) Reviewed-by: Jason Wang Signed-off-by: Stefan Hajnoczi --- hw/net/rtl8139.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index fa01934..edbb61c 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -2239,6 +2239,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State= *s) =20 int tcp_hlen =3D TCP_HEADER_DATA_OFFSET(p_tcp_hdr); =20 + /* Invalid TCP data offset? */ + if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_= len) { + goto skip_offload; + } + /* ETH_MTU =3D ip header len + tcp header len + payload = */ int tcp_data_len =3D ip_data_len - tcp_hlen; int tcp_chunk_size =3D ETH_MTU - hlen - tcp_hlen; --=20 2.4.3