[PULL V2 26/44] hw/net/net_tx_pkt: Check the payload length

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: Akihiko Odaki <akihiko.odaki@daynix.com>,
	Jason Wang <jasowang@redhat.com>
Subject: [PULL V2 26/44] hw/net/net_tx_pkt: Check the payload length
Date: Fri, 10 Mar 2023 17:35:08 +0800	[thread overview]
Message-ID: <20230310093526.30828-27-jasowang@redhat.com> (raw)
In-Reply-To: <20230310093526.30828-1-jasowang@redhat.com>

From: Akihiko Odaki <akihiko.odaki@daynix.com>

Check the payload length if checksumming to ensure the payload contains
the space for the resulting value.

This bug was found by Alexander Bulekov with the fuzzer:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/

The fixed test case is:
fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc

Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/net_tx_pkt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 4a35e84..986a3ad 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
     if (csum_enable) {
         switch (pkt->l4proto) {
         case IP_PROTO_TCP:
+            if (pkt->payload_len < sizeof(struct tcp_hdr)) {
+                return false;
+            }
             pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
             pkt->virt_hdr.csum_start = pkt->hdr_len;
             pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum);
             break;
         case IP_PROTO_UDP:
+            if (pkt->payload_len < sizeof(struct udp_hdr)) {
+                return false;
+            }
             pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
             pkt->virt_hdr.csum_start = pkt->hdr_len;
             pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum);
-- 
2.7.4

next prev parent reply	other threads:[~2023-03-10  9:40 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-10  9:34 [PULL V2 00/44] Net patches Jason Wang
2023-03-10  9:34 ` [PULL V2 01/44] e1000e: Fix the code style Jason Wang
2023-03-10  9:34 ` [PULL V2 02/44] hw/net: Add more MII definitions Jason Wang
2023-03-10  9:34 ` [PULL V2 03/44] fsl_etsec: Use hw/net/mii.h Jason Wang
2023-03-10  9:34 ` [PULL V2 04/44] e1000: " Jason Wang
2023-03-10  9:34 ` [PULL V2 05/44] e1000: Mask registers when writing Jason Wang
2023-03-10  9:34 ` [PULL V2 06/44] e1000e: Introduce E1000E_LOW_BITS_SET_FUNC Jason Wang
2023-03-10  9:34 ` [PULL V2 07/44] e1000e: Mask registers when writing Jason Wang
2023-03-10  9:34 ` [PULL V2 08/44] e1000: Use more constant definitions Jason Wang
2023-03-10  9:34 ` [PULL V2 09/44] e1000e: " Jason Wang
2023-03-10  9:34 ` [PULL V2 10/44] e1000: Use memcpy to intialize registers Jason Wang
2023-03-10  9:34 ` [PULL V2 11/44] e1000e: " Jason Wang
2023-03-10  9:34 ` [PULL V2 12/44] e1000e: Remove pending interrupt flags Jason Wang
2023-03-10  9:34 ` [PULL V2 13/44] e1000e: Improve software reset Jason Wang
2023-03-10  9:34 ` [PULL V2 14/44] e1000: Configure ResettableClass Jason Wang
2023-03-10  9:34 ` [PULL V2 15/44] e1000e: " Jason Wang
2023-03-10  9:34 ` [PULL V2 16/44] e1000e: Introduce e1000_rx_desc_union Jason Wang
2023-03-10  9:34 ` [PULL V2 17/44] e1000e: Set MII_ANER_NWAY Jason Wang
2023-03-10  9:35 ` [PULL V2 18/44] e1000e: Remove extra pointer indirection Jason Wang
2023-03-10  9:35 ` [PULL V2 19/44] net: Check L4 header size Jason Wang
2023-03-10  9:35 ` [PULL V2 20/44] e1000x: Alter the signature of e1000x_is_vlan_packet Jason Wang
2023-03-10  9:35 ` [PULL V2 21/44] net: Strip virtio-net header when dumping Jason Wang
2023-03-10  9:35 ` [PULL V2 22/44] hw/net/net_tx_pkt: Automatically determine if virtio-net header is used Jason Wang
2023-03-10  9:35 ` [PULL V2 23/44] hw/net/net_rx_pkt: Remove net_rx_pkt_has_virt_hdr Jason Wang
2023-03-10  9:35 ` [PULL V2 24/44] e1000e: Perform software segmentation for loopback Jason Wang
2023-03-10  9:35 ` [PULL V2 25/44] hw/net/net_tx_pkt: Implement TCP segmentation Jason Wang
2023-03-10  9:35 ` Jason Wang [this message]
2023-03-10  9:35 ` [PULL V2 27/44] e1000e: Do not assert when MSI-X is disabled later Jason Wang
2023-03-10  9:35 ` [PULL V2 28/44] MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer Jason Wang
2023-03-10  9:35 ` [PULL V2 29/44] MAINTAINERS: Add e1000e test files Jason Wang
2023-03-10  9:35 ` [PULL V2 30/44] e1000e: Combine rx traces Jason Wang
2023-03-10  9:35 ` [PULL V2 31/44] e1000: Count CRC in Tx statistics Jason Wang
2023-03-10  9:35 ` [PULL V2 32/44] e1000e: " Jason Wang
2023-03-10  9:35 ` [PULL V2 33/44] net/eth: Report if headers are actually present Jason Wang
2023-03-10  9:35 ` [PULL V2 34/44] e1000e: Implement system clock Jason Wang
2023-03-10  9:35 ` [PULL V2 35/44] net/eth: Introduce EthL4HdrProto Jason Wang
2023-03-10  9:35 ` [PULL V2 36/44] pcie: Introduce pcie_sriov_num_vfs Jason Wang
2023-03-10  9:35 ` [PULL V2 37/44] e1000: Split header files Jason Wang
2023-03-10  9:35 ` [PULL V2 38/44] Intrdocue igb device emulation Jason Wang
2023-03-10  9:35 ` [PULL V2 39/44] tests/qtest/e1000e-test: Fabricate ethernet header Jason Wang
2023-03-10  9:35 ` [PULL V2 40/44] tests/qtest/libqos/e1000e: Export macreg functions Jason Wang
2023-03-10  9:35 ` [PULL V2 41/44] igb: Introduce qtest for igb device Jason Wang
2023-03-10  9:35 ` [PULL V2 42/44] tests/avocado: Add igb test Jason Wang
2023-03-10  9:35 ` [PULL V2 43/44] docs/system/devices/igb: Add igb documentation Jason Wang
2023-03-10  9:35 ` [PULL V2 44/44] ebpf: fix compatibility with libbpf 1.0+ Jason Wang
2023-03-12 10:56 ` [PULL V2 00/44] Net patches Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4a35e84 dfblob:986a3ad )
 OR (
bs:"[PULL V2 26/44] hw/net/net_tx_pkt: Check the payload length" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230310093526.30828-27-jasowang@redhat.com \
    --to=jasowang@redhat.com \
    --cc=akihiko.odaki@daynix.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).