From nobody Mon Feb 9 17:15:29 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=yandex-team.ru ARC-Seal: i=1; a=rsa-sha256; t=1644493924; cv=none; d=zohomail.com; s=zohoarc; b=UGhRWnBmQHUdBOqIfbyJQy8lRQlncWGXMuMZh4VI3Prh7r4xGxsit7nWHwaNgatplGR4YrcFeOvIBmsSt7cBALVOjyEy29fPMT/CbvBg+LOmRNRYl3QyPBDRuGZ8pX+sKDWxOfO6L2leCEVS2n2jHPIhG/SrtS6Hamd9j6Aook0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1644493924; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=pkXsRZPtJYbYslIag+LWJ4jPqR7UqqIwUKlz4vAAnyQ=; b=G2YYYwOj4GSAP8VmyeA++Kf69Q9d5GPXaZ3y45Y+aVRkekiNzWJlae1eSUqdzYkd9FfF8NUODlp8Qupgsk3H8EJTY0d9YAP4LUi9e8xMLqTIu9q8G0v34ZuTeMCwmqites92wrCS5ss0CRLvYER+JcTghqG6kh8IXbyh2YD3+F0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 164449392392012.945720934095107; Thu, 10 Feb 2022 03:52:03 -0800 (PST) Received: from localhost ([::1]:35656 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nI7zW-00021X-UJ for importer@patchew.org; Thu, 10 Feb 2022 06:52:02 -0500 Received: from eggs.gnu.org ([209.51.188.92]:45442) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nI7sb-0002pm-Vp for qemu-devel@nongnu.org; Thu, 10 Feb 2022 06:44:54 -0500 Received: from forwardcorp1o.mail.yandex.net ([95.108.205.193]:58174) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nI7sY-0007Lx-2P for qemu-devel@nongnu.org; Thu, 10 Feb 2022 06:44:52 -0500 Received: from iva8-c5ee4261001e.qloud-c.yandex.net (iva8-c5ee4261001e.qloud-c.yandex.net [IPv6:2a02:6b8:c0c:a8a6:0:640:c5ee:4261]) by forwardcorp1o.mail.yandex.net (Yandex) with ESMTP id 91CFB2E0DC2 for ; Thu, 10 Feb 2022 14:44:43 +0300 (MSK) Received: from iva8-3a65cceff156.qloud-c.yandex.net (iva8-3a65cceff156.qloud-c.yandex.net [2a02:6b8:c0c:2d80:0:640:3a65:ccef]) by iva8-c5ee4261001e.qloud-c.yandex.net (mxbackcorp/Yandex) with ESMTP id dbonYVdsOk-ihGSvA2f; Thu, 10 Feb 2022 14:44:43 +0300 Received: from localhost (dynamic-vpn.dhcp.yndx.net [2a02:6b8:b081:8101::1:28]) by iva8-3a65cceff156.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id 684zSQ7u6S-ihIKTHuK; Thu, 10 Feb 2022 14:44:43 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) X-Yandex-Fwd: 2 Precedence: bulk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1644493483; bh=pkXsRZPtJYbYslIag+LWJ4jPqR7UqqIwUKlz4vAAnyQ=; h=Date:To:From:Subject:Message-ID:Cc; b=vnbHDJbVPUzCn1Wf16QjC7h0Kt74lzcdAdvbERjr91g3lSdp7conEGRCboVFXnwGo 6a6wNMv+DpG8rDF/fuZu9VcuA8BfepoAakLn/pwVNAztGwpIv/9OJQGILIJMUnQxfs xE/RrMyemR4ATntiDhVg7zsruzRWg4SlxpXQmWp0= Authentication-Results: iva8-c5ee4261001e.qloud-c.yandex.net; dkim=pass header.i=@yandex-team.ru Subject: [PATCH] virtio-net: break gracefully on packet without valid header From: Konstantin Khlebnikov To: qemu-devel@nongnu.org Date: Thu, 10 Feb 2022 14:44:42 +0300 Message-ID: <164449348255.2210192.2702615307678007456.stgit@dynamic-vpn.dhcp.yndx.net> User-Agent: StGit/1.4.dev11+gd5bef96 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=95.108.205.193; envelope-from=khlebnikov@yandex-team.ru; helo=forwardcorp1o.mail.yandex.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: yc-core@yandex-team.ru Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @yandex-team.ru) X-ZM-MESSAGEID: 1644493924559100001 Right now too short packet from guest triggers assert in iov_copy(). (because requested offset does not fit into io vector) For legacy virtio without feature VIRTIO_F_ANY_LAYOUT virtio-net header must fit exactly in the first descriptor. With features VIRTIO_F_ANY_LAYOUT or VIRTIO_F_VERSION_1 header is usually fused with data but sides must support any arbitrary layout, so header may not fit into first descriptor. Present check verifies only count of descriptors, which isn't helpful. Let's check total length to intercept such short packets. Alternative solution is removing asserts from io vector helpers and checking results of copying from io vector where needed. Buglink: https://gitlab.com/qemu-project/qemu/-/issues/762 Signed-off-by: Konstantin Khlebnikov --- hw/net/virtio-net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index cf8ab0f8af..b47f70076d 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -2533,8 +2533,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) =20 out_num =3D elem->out_num; out_sg =3D elem->out_sg; - if (out_num < 1) { - virtio_error(vdev, "virtio-net header not in first element"); + if (iov_size(out_sg, out_num) < n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header is missing"); virtqueue_detach_element(q->tx_vq, elem, 0); g_free(elem); return -EINVAL;