From: Li Qiang <liq3ea@gmail.com>
To: P J P <ppandit@redhat.com>
Cc: Alexander Bulekov <alxndr@bu.edu>,
Jason Wang <jasowang@redhat.com>,
Dmitry Fleytman <dmitry.fleytman@gmail.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [PATCH] net: check payload length limit for all frames
Date: Fri, 17 Jul 2020 08:53:42 +0800 [thread overview]
Message-ID: <CAKXe6SKL3aNiOKKLEMof6GGNjYLcX9fvfSf-0PBSX48rh4--FQ@mail.gmail.com> (raw)
In-Reply-To: <20200716192335.1212638-1-ppandit@redhat.com>
P J P <ppandit@redhat.com> 于2020年7月17日周五 上午3:26写道:
>
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While sending packets, the check that packet 'payload_len'
> is within 64kB limit, seems to happen only for GSO frames.
> It may lead to use-after-free or out-of-bounds access like
> issues when sending non-GSO frames. Check the 'payload_len'
> limit for all packets, irrespective of the gso type.
>
Hello Prasad,
Which issue are you trying to solve, any reference linking?
I also send a patch related this part and also a UAF.
Thanks,
Li Qiang
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/net_tx_pkt.c | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> index 162f802dd7..e66998a8f9 100644
> --- a/hw/net/net_tx_pkt.c
> +++ b/hw/net/net_tx_pkt.c
> @@ -607,12 +607,10 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, NetClientState *nc)
> * Since underlying infrastructure does not support IP datagrams longer
> * than 64K we should drop such packets and don't even try to send
> */
> - if (VIRTIO_NET_HDR_GSO_NONE != pkt->virt_hdr.gso_type) {
> - if (pkt->payload_len >
> - ETH_MAX_IP_DGRAM_LEN -
> - pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> - return false;
> - }
> + if (pkt->payload_len >
> + ETH_MAX_IP_DGRAM_LEN -
> + pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> + return false;
> }
>
> if (pkt->has_virt_hdr ||
> --
> 2.26.2
>
>
next prev parent reply other threads:[~2020-07-17 0:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 19:23 [PATCH] net: check payload length limit for all frames P J P
2020-07-17 0:53 ` Li Qiang [this message]
2020-07-17 1:21 ` Alexander Bulekov
2020-07-17 3:13 ` Jason Wang
2020-07-17 5:06 ` P J P
2020-07-17 5:51 ` Jason Wang
2020-07-17 9:08 ` P J P
2020-07-17 10:02 ` Li Qiang
2020-07-20 2:24 ` P J P
2020-07-20 3:33 ` Alexander Bulekov
2020-07-20 11:46 ` Li Qiang
2020-07-20 12:57 ` P J P
2020-07-20 13:20 ` Li Qiang
2020-07-20 14:02 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKXe6SKL3aNiOKKLEMof6GGNjYLcX9fvfSf-0PBSX48rh4--FQ@mail.gmail.com \
--to=liq3ea@gmail.com \
--cc=alxndr@bu.edu \
--cc=dmitry.fleytman@gmail.com \
--cc=jasowang@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).