From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>,
Qemu Developers <qemu-devel@nongnu.org>,
Liu Ling <liuling-it@360.cn>
Subject: Re: [Qemu-devel] [PATCH v2 1/2] net: check packet payload length
Date: Wed, 2 Mar 2016 11:21:26 +0800 [thread overview]
Message-ID: <56D65C36.6030702@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1603011127120.23134@wniryva>
On 03/01/2016 02:48 PM, P J P wrote:
> Hello Jason,
>
> +-- On Fri, 26 Feb 2016, Jason Wang wrote --+
> | Should we count mac header here? Did "plen + hlen >= length" imply "14 +
> | hlen + csum_offset + 1" < length?
> |
> | Looks not. Consider a TCP packet can report evil plen (e.g 20) but just
> | have 10 bytes payload in fact. In this case:
> |
> | hlen = 20, plen = 20, csum_offset = 16, length = 44 which can pass all
> | the above tests, but 14 + hlen + csum_offset = 50 which is greater than
> | length.
>
> Ummn, not sure. hlen + plen = total length(IP + TCP/UDP), 20+20 != 44.
> 'length' is also used to read and allocate requisite buffers in other parts
> from where net_checksum_calculate() is called,
>
> ===
> etsec->tx_buffer = g_realloc(etsec->tx_buffer,
> etsec->tx_buffer_len + bd->length);
> ...
> /* Update buffer length */
> etsec->tx_buffer_len += bd->length;
>
> process_tx_fcb(etsec);
> -> net_checksum_calculate(etsec->tx_buffer + 8,
> etsec->tx_buffer_len - 8);
>
> OR
>
> memcpy(tmpbuf, page + txreq.offset, txreq.size);
> net_checksum_calculate(tmpbuf, txreq.size);
> ===
>
> - With 'length < 14 + 20', we ensure that L2 & L3 headers are complete.
How about L4, since we will calculate L4 checksum I believe? And it
looks like the following check:
plen + hlen >= length
only count L3 header plus payload?
> 44 - 34 = 10, TCP/UDP header is incomplete.
>
> I think 'plen=20 != 10' hints at an error in other parts of the code?
Well, the point is. If we want depend on callers to do all the checks,
we need fix all the callers. Otherwise, we need to do all the check in
net_checksum_calculate() itself (E.g to handle all kinds of evil packets).
> Also if
> data buffer has more space than actual data, OOB access may not occur.
>
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
next prev parent reply other threads:[~2016-03-02 3:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-23 16:08 [Qemu-devel] [PATCH v2 0/2] net: check payload length and minor updates P J P
2016-02-23 16:08 ` [Qemu-devel] [PATCH v2 1/2] net: check packet payload length P J P
2016-02-26 6:10 ` Jason Wang
2016-03-01 6:48 ` P J P
2016-03-02 3:21 ` Jason Wang [this message]
2016-03-02 12:01 ` P J P
2016-02-23 16:08 ` [Qemu-devel] [PATCH v2 2/2] net: minor indentation updates P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D65C36.6030702@redhat.com \
--to=jasowang@redhat.com \
--cc=armbru@redhat.com \
--cc=liuling-it@360.cn \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).