From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58817)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aY7qv-0001NJ-0e
	for qemu-devel@nongnu.org; Tue, 23 Feb 2016 02:57:49 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aY7qp-0003oa-V4
	for qemu-devel@nongnu.org; Tue, 23 Feb 2016 02:57:48 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50997)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aY7qp-0003oG-PX
	for qemu-devel@nongnu.org; Tue, 23 Feb 2016 02:57:43 -0500
References: <1455710904-13368-1-git-send-email-ppandit@redhat.com>
	<878u2jh4uz.fsf@blackfin.pond.sub.org>
	<alpine.LFD.2.20.1602172316050.17380@wniryva>
	<87povujrf8.fsf@blackfin.pond.sub.org>
	<alpine.LFD.2.20.1602181548400.23443@wniryva>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <56CC10E5.6010902@redhat.com>
Date: Tue, 23 Feb 2016 15:57:25 +0800
MIME-Version: 1.0
In-Reply-To: <alpine.LFD.2.20.1602181548400.23443@wniryva>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] net: check packet payload length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, Markus Armbruster <armbru@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>, Liu Ling <liuling-it@360.cn>



On 02/18/2016 06:33 PM, P J P wrote:
>   Hello Markus,
>
> +-- On Thu, 18 Feb 2016, Markus Armbruster wrote --+
> | 
> |           if ((data[14] & 0xf0) != 0x40)
> | Buffer overrun when length <= 14.
> | 
> |           proto = data[23];
> | Buffer overrun when length <= 23.
> | 
> | I think we should check that we got at least an IPv4 header without
> | options (length >= 14 + 20) before accessing said header.
>
>   Right. Some callers do have checks in place to ensure length is >= minium 
> packet length. Still it'll help to add an assert(length >= 14+20);

Let's avoid adding assert() here since it could be triggered by guest.

>
> |     /*
> |      * Compute and store checksum of IPv4 TCP or UDP packet.
> |      * @data holds @length bytes.  It must be a complete packet.
> |      * If this is an IPv4 TCP packet, compute its checksum and store it
> |      * in the TCP header.
> |      * Else if this is a complete IPv4 UDP packet, compute its checksum
> |      * and store it in the UDP header.
> |      * Else do nothing.
> |      */
> |     void net_checksum_calculate(uint8_t *data, int length)
> | 
> | I find it simpler.
> | 
> | If the other buffer overrun I mentioned above needs fixing: yes.
> | Else: depends on the maintainer.
>
>   Okay, I'll wait for Jason's inputs and will send a revised patch including 
> your suggestions above.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

I think you need audit all the callers to see if the issue mentioned by
Markus existed first.