[Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[P J P]

From: Prasad J Pandit <pjp@fedoraproject.org>

VMware VMXNET* NIC emulator supports packet fragmentation.
While fragmenting a packet, it checks for more fragments based
on packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/vmxnet_tx_pkt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index 91e1e08..f4d0f5f 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
 
         fragment_offset += fragment_len;
 
-    } while (more_frags);
+    } while (fragment_len && more_frags);
 
     return true;
 }
-- 
2.5.5

Re: [Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[Jason Wang]

On 2016年08月02日 19:37, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> VMware VMXNET* NIC emulator supports packet fragmentation.
> While fragmenting a packet, it checks for more fragments based
> on packet length and current fragment length. It is susceptible
> to an infinite loop, if the current fragment length is zero.
> Add check to avoid it.
>
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/net/vmxnet_tx_pkt.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
> index 91e1e08..f4d0f5f 100644
> --- a/hw/net/vmxnet_tx_pkt.c
> +++ b/hw/net/vmxnet_tx_pkt.c
> @@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
>   
>           fragment_offset += fragment_len;
>   
> -    } while (more_frags);
> +    } while (fragment_len && more_frags);
>   
>       return true;
>   }

The patch doesn't apply cleanly on HEAD, we now move this logic to 
hw/net/net_tx_pkt.c. Please resend on top of HEAD and cc Dmitry Fleytman 
<dmitry@daynix.com>.

Thanks

Re: [Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[P J P]

  Hello Jason,

+-- On Thu, 4 Aug 2016, Jason Wang wrote --+
| The patch doesn't apply cleanly on HEAD, we now move this logic to 
| hw/net/net_tx_pkt.c. Please resend on top of HEAD and cc Dmitry Fleytman 
| <dmitry@daynix.com>.

  I see, that explains why it did not show-up in search. I've sent a revised 
patch v2. Nevertheless, the patch here would apply to Qemu versions <= 2.6.0.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[Jason Wang]

On 2016年08月04日 15:35, P J P wrote:
>    Hello Jason,
>
> +-- On Thu, 4 Aug 2016, Jason Wang wrote --+
> | The patch doesn't apply cleanly on HEAD, we now move this logic to
> | hw/net/net_tx_pkt.c. Please resend on top of HEAD and cc Dmitry Fleytman
> | <dmitry@daynix.com>.
>
>    I see, that explains why it did not show-up in search. I've sent a revised
> patch v2. Nevertheless, the patch here would apply to Qemu versions <= 2.6.0.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Yes, I will cc stable this time. Please do it next time if you want the 
fix for stable too.

Thanks