[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v6 26/34] hw/net/net_tx_pkt: Check the payload length
From: |
Akihiko Odaki |
Subject: |
[PATCH v6 26/34] hw/net/net_tx_pkt: Check the payload length |
Date: |
Thu, 23 Feb 2023 19:20:10 +0900 |
Check the payload length if checksumming to ensure the payload contains
the space for the resulting value.
This bug was found by Alexander Bulekov with the fuzzer:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc
Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
hw/net/net_tx_pkt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 4a35e8429d..986a3adfe9 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool
tso_enable,
if (csum_enable) {
switch (pkt->l4proto) {
case IP_PROTO_TCP:
+ if (pkt->payload_len < sizeof(struct tcp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum);
break;
case IP_PROTO_UDP:
+ if (pkt->payload_len < sizeof(struct udp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum);
--
2.39.1
- [PATCH v6 15/34] e1000e: Configure ResettableClass, (continued)
- [PATCH v6 15/34] e1000e: Configure ResettableClass, Akihiko Odaki, 2023/02/23
- [PATCH v6 16/34] e1000e: Introduce e1000_rx_desc_union, Akihiko Odaki, 2023/02/23
- [PATCH v6 17/34] e1000e: Set MII_ANER_NWAY, Akihiko Odaki, 2023/02/23
- [PATCH v6 18/34] e1000e: Remove extra pointer indirection, Akihiko Odaki, 2023/02/23
- [PATCH v6 19/34] net: Check L4 header size, Akihiko Odaki, 2023/02/23
- [PATCH v6 20/34] e1000x: Alter the signature of e1000x_is_vlan_packet, Akihiko Odaki, 2023/02/23
- [PATCH v6 21/34] net: Strip virtio-net header when dumping, Akihiko Odaki, 2023/02/23
- [PATCH v6 22/34] hw/net/net_tx_pkt: Automatically determine if virtio-net header is used, Akihiko Odaki, 2023/02/23
- [PATCH v6 23/34] hw/net/net_rx_pkt: Remove net_rx_pkt_has_virt_hdr, Akihiko Odaki, 2023/02/23
- [PATCH v6 24/34] e1000e: Perform software segmentation for loopback, Akihiko Odaki, 2023/02/23
- [PATCH v6 26/34] hw/net/net_tx_pkt: Check the payload length,
Akihiko Odaki <=
- [PATCH v6 28/34] MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer, Akihiko Odaki, 2023/02/23
- [PATCH v6 29/34] MAINTAINERS: Add e1000e test files, Akihiko Odaki, 2023/02/23
- [PATCH v6 25/34] hw/net/net_tx_pkt: Implement TCP segmentation, Akihiko Odaki, 2023/02/23
- [PATCH v6 27/34] e1000e: Do not assert when MSI-X is disabled later, Akihiko Odaki, 2023/02/23
- [PATCH v6 30/34] e1000e: Combine rx traces, Akihiko Odaki, 2023/02/23
- [PATCH v6 31/34] e1000: Count CRC in Tx statistics, Akihiko Odaki, 2023/02/23
- [PATCH v6 32/34] e1000e: Count CRC in Tx statistics, Akihiko Odaki, 2023/02/23
- [PATCH v6 33/34] net/eth: Report if headers are actually present, Akihiko Odaki, 2023/02/23
- [PATCH v6 34/34] e1000e: Implement system clock, Akihiko Odaki, 2023/02/23