From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=43529 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1ORSNH-0007pb-8H
	for qemu-devel@nongnu.org; Wed, 23 Jun 2010 12:00:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <mst@redhat.com>) id 1ORSNF-0002yl-8D
	for qemu-devel@nongnu.org; Wed, 23 Jun 2010 12:00:27 -0400
Received: from mx1.redhat.com ([209.132.183.28]:64227)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <mst@redhat.com>) id 1ORSNF-0002xE-1Q
	for qemu-devel@nongnu.org; Wed, 23 Jun 2010 12:00:25 -0400
Received: from int-mx05.intmail.prod.int.phx2.redhat.com
	(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o5NG0Lba022743
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Wed, 23 Jun 2010 12:00:21 -0400
Date: Wed, 23 Jun 2010 18:55:27 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20100623155526.GE30526@redhat.com>
References: <20100623095118.GA9796@redhat.com> <m3eifxrbc6.fsf@trasno.mitica>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m3eifxrbc6.fsf@trasno.mitica>
Subject: [Qemu-devel] Re: [PATCH] virtio-net: correct header length math
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Juan Quintela <quintela@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>, alex.williamson@redhat.com, qemu-devel@nongnu.org

On Wed, Jun 23, 2010 at 05:57:13PM +0200, Juan Quintela wrote:
> "Michael S. Tsirkin" <mst@redhat.com> wrote:
> > We were requesting too much when checking buffer
> > length: size already includes host header length.
> >
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> 
> All changes here are  ok, but we are still missing more checks.
> 
> > ---
> >  hw/virtio-net.c |   20 +++++++++++---------
> >  1 files changed, 11 insertions(+), 9 deletions(-)
> >
> > diff --git a/hw/virtio-net.c b/hw/virtio-net.c
> > index 06ba481..2646c87 100644
> > --- a/hw/virtio-net.c
> > +++ b/hw/virtio-net.c
> > @@ -527,17 +527,18 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
> >  {
> >      VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
> >      struct virtio_net_hdr_mrg_rxbuf *mhdr = NULL;
> > -    size_t hdr_len, offset, i;
> > +    size_t guest_hdr_len, offset, i, host_hdr_len;
> >  
> >      if (!virtio_net_can_receive(&n->nic->nc))
> >          return -1;
> >  
> >      /* hdr_len refers to the header we supply to the guest */
> > -    hdr_len = n->mergeable_rx_bufs ?
> > +    guest_hdr_len = n->mergeable_rx_bufs ?
> >          sizeof(struct virtio_net_hdr_mrg_rxbuf) : sizeof(struct virtio_net_hdr);
> >  
> >  
> 
> nitpit: empty extra line
> 
> > -    if (!virtio_net_has_buffers(n, size + hdr_len))
> > +    host_hdr_len = n->has_vnet_hdr ? sizeof(struct virtio_net_hdr) : 0;
> > +    if (!virtio_net_has_buffers(n, size + guest_hdr_len - host_hdr_len))
> >          return 0;
> >  
> >      if (!receive_filter(n, buf, size))
> 
> size is not used by receive_filter.  We are assuming that size is at
> least 16 + sizeof(struct virtio_net_hdr).

True, I guess receive_filter should be fixed.

> 
>     while (offset < size) {
> 
> we are still testing offset with size, but we read headers from there
> also :(

>>From where? As far as I can tell we always read size bytes from buf. No?

> Later, Juan.