From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: Akihiko Odaki <akihiko.odaki@daynix.com>,
Jason Wang <jasowang@redhat.com>
Subject: [PULL V2 19/44] net: Check L4 header size
Date: Fri, 10 Mar 2023 17:35:01 +0800 [thread overview]
Message-ID: <20230310093526.30828-20-jasowang@redhat.com> (raw)
In-Reply-To: <20230310093526.30828-1-jasowang@redhat.com>
From: Akihiko Odaki <akihiko.odaki@daynix.com>
net_tx_pkt_build_vheader() inspects TCP header but had no check for
the header size, resulting in an undefined behavior. Check the header
size and drop the packet if the header is too small.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/e1000e_core.c | 19 ++++++++++++++-----
hw/net/net_tx_pkt.c | 13 ++++++++++---
hw/net/net_tx_pkt.h | 3 ++-
hw/net/vmxnet3.c | 14 +++++++-------
4 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index d143f2a..38d374f 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -629,23 +629,30 @@ e1000e_rss_parse_packet(E1000ECore *core,
info->queue = E1000_RSS_QUEUE(&core->mac[RETA], info->hash);
}
-static void
+static bool
e1000e_setup_tx_offloads(E1000ECore *core, struct e1000e_tx *tx)
{
if (tx->props.tse && tx->cptse) {
- net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss);
+ if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss)) {
+ return false;
+ }
+
net_tx_pkt_update_ip_checksums(tx->tx_pkt);
e1000x_inc_reg_if_not_full(core->mac, TSCTC);
- return;
+ return true;
}
if (tx->sum_needed & E1000_TXD_POPTS_TXSM) {
- net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0);
+ if (!net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0)) {
+ return false;
+ }
}
if (tx->sum_needed & E1000_TXD_POPTS_IXSM) {
net_tx_pkt_update_ip_hdr_checksum(tx->tx_pkt);
}
+
+ return true;
}
static bool
@@ -654,7 +661,9 @@ e1000e_tx_pkt_send(E1000ECore *core, struct e1000e_tx *tx, int queue_index)
int target_queue = MIN(core->max_queue_num, queue_index);
NetClientState *queue = qemu_get_subqueue(core->owner_nic, target_queue);
- e1000e_setup_tx_offloads(core, tx);
+ if (!e1000e_setup_tx_offloads(core, tx)) {
+ return false;
+ }
net_tx_pkt_dump(tx->tx_pkt);
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 2533ea2..8a23899 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -304,10 +304,11 @@ func_exit:
return rc;
}
-void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
+bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
bool csum_enable, uint32_t gso_size)
{
struct tcp_hdr l4hdr;
+ size_t bytes_read;
assert(pkt);
/* csum has to be enabled if tso is. */
@@ -328,8 +329,12 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
case VIRTIO_NET_HDR_GSO_TCPV4:
case VIRTIO_NET_HDR_GSO_TCPV6:
- iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], pkt->payload_frags,
- 0, &l4hdr, sizeof(l4hdr));
+ bytes_read = iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG],
+ pkt->payload_frags, 0, &l4hdr, sizeof(l4hdr));
+ if (bytes_read < sizeof(l4hdr)) {
+ return false;
+ }
+
pkt->virt_hdr.hdr_len = pkt->hdr_len + l4hdr.th_off * sizeof(uint32_t);
pkt->virt_hdr.gso_size = gso_size;
break;
@@ -354,6 +359,8 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
break;
}
}
+
+ return true;
}
void net_tx_pkt_setup_vlan_header_ex(struct NetTxPkt *pkt,
diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h
index 4ec8bbe..2e38a5f 100644
--- a/hw/net/net_tx_pkt.h
+++ b/hw/net/net_tx_pkt.h
@@ -59,9 +59,10 @@ struct virtio_net_hdr *net_tx_pkt_get_vhdr(struct NetTxPkt *pkt);
* @tso_enable: TSO enabled
* @csum_enable: CSO enabled
* @gso_size: MSS size for TSO
+ * @ret: operation result
*
*/
-void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
+bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
bool csum_enable, uint32_t gso_size);
/**
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 56559cd..d7d492a 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -440,19 +440,19 @@ vmxnet3_setup_tx_offloads(VMXNET3State *s)
{
switch (s->offload_mode) {
case VMXNET3_OM_NONE:
- net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0);
- break;
+ return net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0);
case VMXNET3_OM_CSUM:
- net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0);
VMW_PKPRN("L4 CSO requested\n");
- break;
+ return net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0);
case VMXNET3_OM_TSO:
- net_tx_pkt_build_vheader(s->tx_pkt, true, true,
- s->cso_or_gso_size);
- net_tx_pkt_update_ip_checksums(s->tx_pkt);
VMW_PKPRN("GSO offload requested.");
+ if (!net_tx_pkt_build_vheader(s->tx_pkt, true, true,
+ s->cso_or_gso_size)) {
+ return false;
+ }
+ net_tx_pkt_update_ip_checksums(s->tx_pkt);
break;
default:
--
2.7.4
next prev parent reply other threads:[~2023-03-10 9:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-10 9:34 [PULL V2 00/44] Net patches Jason Wang
2023-03-10 9:34 ` [PULL V2 01/44] e1000e: Fix the code style Jason Wang
2023-03-10 9:34 ` [PULL V2 02/44] hw/net: Add more MII definitions Jason Wang
2023-03-10 9:34 ` [PULL V2 03/44] fsl_etsec: Use hw/net/mii.h Jason Wang
2023-03-10 9:34 ` [PULL V2 04/44] e1000: " Jason Wang
2023-03-10 9:34 ` [PULL V2 05/44] e1000: Mask registers when writing Jason Wang
2023-03-10 9:34 ` [PULL V2 06/44] e1000e: Introduce E1000E_LOW_BITS_SET_FUNC Jason Wang
2023-03-10 9:34 ` [PULL V2 07/44] e1000e: Mask registers when writing Jason Wang
2023-03-10 9:34 ` [PULL V2 08/44] e1000: Use more constant definitions Jason Wang
2023-03-10 9:34 ` [PULL V2 09/44] e1000e: " Jason Wang
2023-03-10 9:34 ` [PULL V2 10/44] e1000: Use memcpy to intialize registers Jason Wang
2023-03-10 9:34 ` [PULL V2 11/44] e1000e: " Jason Wang
2023-03-10 9:34 ` [PULL V2 12/44] e1000e: Remove pending interrupt flags Jason Wang
2023-03-10 9:34 ` [PULL V2 13/44] e1000e: Improve software reset Jason Wang
2023-03-10 9:34 ` [PULL V2 14/44] e1000: Configure ResettableClass Jason Wang
2023-03-10 9:34 ` [PULL V2 15/44] e1000e: " Jason Wang
2023-03-10 9:34 ` [PULL V2 16/44] e1000e: Introduce e1000_rx_desc_union Jason Wang
2023-03-10 9:34 ` [PULL V2 17/44] e1000e: Set MII_ANER_NWAY Jason Wang
2023-03-10 9:35 ` [PULL V2 18/44] e1000e: Remove extra pointer indirection Jason Wang
2023-03-10 9:35 ` Jason Wang [this message]
2023-03-10 9:35 ` [PULL V2 20/44] e1000x: Alter the signature of e1000x_is_vlan_packet Jason Wang
2023-03-10 9:35 ` [PULL V2 21/44] net: Strip virtio-net header when dumping Jason Wang
2023-03-10 9:35 ` [PULL V2 22/44] hw/net/net_tx_pkt: Automatically determine if virtio-net header is used Jason Wang
2023-03-10 9:35 ` [PULL V2 23/44] hw/net/net_rx_pkt: Remove net_rx_pkt_has_virt_hdr Jason Wang
2023-03-10 9:35 ` [PULL V2 24/44] e1000e: Perform software segmentation for loopback Jason Wang
2023-03-10 9:35 ` [PULL V2 25/44] hw/net/net_tx_pkt: Implement TCP segmentation Jason Wang
2023-03-10 9:35 ` [PULL V2 26/44] hw/net/net_tx_pkt: Check the payload length Jason Wang
2023-03-10 9:35 ` [PULL V2 27/44] e1000e: Do not assert when MSI-X is disabled later Jason Wang
2023-03-10 9:35 ` [PULL V2 28/44] MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer Jason Wang
2023-03-10 9:35 ` [PULL V2 29/44] MAINTAINERS: Add e1000e test files Jason Wang
2023-03-10 9:35 ` [PULL V2 30/44] e1000e: Combine rx traces Jason Wang
2023-03-10 9:35 ` [PULL V2 31/44] e1000: Count CRC in Tx statistics Jason Wang
2023-03-10 9:35 ` [PULL V2 32/44] e1000e: " Jason Wang
2023-03-10 9:35 ` [PULL V2 33/44] net/eth: Report if headers are actually present Jason Wang
2023-03-10 9:35 ` [PULL V2 34/44] e1000e: Implement system clock Jason Wang
2023-03-10 9:35 ` [PULL V2 35/44] net/eth: Introduce EthL4HdrProto Jason Wang
2023-03-10 9:35 ` [PULL V2 36/44] pcie: Introduce pcie_sriov_num_vfs Jason Wang
2023-03-10 9:35 ` [PULL V2 37/44] e1000: Split header files Jason Wang
2023-03-10 9:35 ` [PULL V2 38/44] Intrdocue igb device emulation Jason Wang
2023-03-10 9:35 ` [PULL V2 39/44] tests/qtest/e1000e-test: Fabricate ethernet header Jason Wang
2023-03-10 9:35 ` [PULL V2 40/44] tests/qtest/libqos/e1000e: Export macreg functions Jason Wang
2023-03-10 9:35 ` [PULL V2 41/44] igb: Introduce qtest for igb device Jason Wang
2023-03-10 9:35 ` [PULL V2 42/44] tests/avocado: Add igb test Jason Wang
2023-03-10 9:35 ` [PULL V2 43/44] docs/system/devices/igb: Add igb documentation Jason Wang
2023-03-10 9:35 ` [PULL V2 44/44] ebpf: fix compatibility with libbpf 1.0+ Jason Wang
2023-03-12 10:56 ` [PULL V2 00/44] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230310093526.30828-20-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=akihiko.odaki@daynix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).