From: Jason Wang <jasowang@redhat.com>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Cc: Dmitry Fleytman <dmitry@daynix.com>,
qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com>
Subject: [Qemu-devel] [PULL RESEND 03/19] NetRxPkt: Fix memory corruption on VLAN header stripping
Date: Mon, 6 Mar 2017 13:25:38 +0800 [thread overview]
Message-ID: <1488777954-4578-4-git-send-email-jasowang@redhat.com> (raw)
In-Reply-To: <1488777954-4578-1-git-send-email-jasowang@redhat.com>
From: Dmitry Fleytman <dmitry@daynix.com>
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 7f928d7..3361d7e 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@
struct NetRxPkt {
struct virtio_net_hdr virt_hdr;
- uint8_t ehdr_buf[sizeof(struct eth_header)];
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec;
uint16_t vec_len_total;
uint16_t vec_len;
uint32_t tot_len;
uint16_t tci;
- bool vlan_stripped;
+ size_t ehdr_buf_len;
bool has_virt_hdr;
eth_pkt_types_e packet_type;
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt,
size_t ploff)
{
- if (pkt->vlan_stripped) {
+ if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf;
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
-
- pkt->tot_len =
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len);
} else {
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
- pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
+ pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -161,8 +161,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
#ifdef NET_RX_PKT_DEBUG
assert(pkt);
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif
}
@@ -425,7 +425,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{
assert(pkt);
- return pkt->vlan_stripped;
+ return pkt->ehdr_buf_len ? true : false;
}
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--
2.7.4
next prev parent reply other threads:[~2017-03-06 5:26 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 5:25 [Qemu-devel] [PULL RESEND 00/19] Net patches Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 01/19] net: Remove useless local var pkt Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 02/19] eth: Extend vlan stripping functions Jason Wang
2017-03-06 5:25 ` Jason Wang [this message]
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 04/19] NetRxPkt: Do not try to pull more data than present Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 05/19] NetRxPkt: Account buffer with ETH header in IOV length Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 06/19] NetRxPkt: Remove code duplication in net_rx_pkt_pull_data() Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 07/19] colo-compare: use g_timeout_source_new() to process the stale packets Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 08/19] colo-compare: kick compare thread to exit after some cleanup in finalization Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 09/19] char: remove the right fd been watched in qemu_chr_fe_set_handlers() Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 10/19] colo-compare: Fix removing fds been watched incorrectly in finalization Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 11/19] net/colo-compare: Fix memory free error Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 12/19] vmxnet3: Convert ring values to uint32_t's Jason Wang
2017-03-13 20:20 ` Laurent Vivier
2017-03-14 11:16 ` Dr. David Alan Gilbert
2017-03-14 11:29 ` Laurent Vivier
2017-03-14 11:38 ` Dr. David Alan Gilbert
2017-03-14 11:47 ` Laurent Vivier
2017-03-14 12:32 ` Dr. David Alan Gilbert
2017-03-14 12:42 ` Laurent Vivier
2017-03-14 12:44 ` Dr. David Alan Gilbert
2017-03-14 13:31 ` Dr. David Alan Gilbert
2017-03-14 13:42 ` Laurent Vivier
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 13/19] vmxnet3: VMStatify rx/tx q_descr and int_state Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 14/19] net/colo: fix memory double free error Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 15/19] filter-rewriter: skip net_checksum_calculate() while offset = 0 Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 16/19] COLO-compare: Rename compare function and remove duplicate codes Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 17/19] COLO-compare: Optimize compare_common and compare_tcp Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 18/19] COLO-compare: Fix icmp and udp compare different packet always dump bug Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 19/19] net/filter-mirror: Follow CODING_STYLE Jason Wang
2017-03-07 7:31 ` [Qemu-devel] [PULL RESEND 00/19] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488777954-4578-4-git-send-email-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=dmitry@daynix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).