From nobody Thu Dec 18 19:36:06 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1678173053; cv=none; d=zohomail.com; s=zohoarc; b=mjJkCeNYuyFh+XaYLLuRxZcZcAyu5jM2Oc9UwbJcW9y7BubTV1aZLYjxCJYZkwEPLjuHMlSQniYY8BjziIwS8gh9IzPVAmd6vW5I0m/mdW/k0RIscNcgsIVEaGO/RvG2y33i0jFMLHekajpiBzAVkasUPrUsZcZzffhCmhBQYco= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678173053; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8XuobJq8nPtEfuy3ZbksC0txmPUzdbnbwE594wcEClc=; b=TqSy+jyipeuzQyPScI+rE9V7C24Ni6OSOTLAhLwtJGWU7GnQUqhjYxCbpi8h/+yr7ynBBvtb38dWcCrdqHHS1eHiI6+rBSI55iLTmkKYdrQ1RDHaH4DGZLNWypB1jdFgyfnHEd8Jh2zgQkWvZ/12EhKA3Cwq0H84khkinyMxn3M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1678173053822263.55882975378006; Mon, 6 Mar 2023 23:10:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZRSP-0000w0-Ih; Tue, 07 Mar 2023 02:09:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZRSN-0000qU-KJ for qemu-devel@nongnu.org; Tue, 07 Mar 2023 02:09:55 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZRSL-0005V6-Jr for qemu-devel@nongnu.org; Tue, 07 Mar 2023 02:09:55 -0500 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-88-fNi1KqHsPo-4xgcl1AmbYg-1; Tue, 07 Mar 2023 02:09:49 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 685FE2808E60; Tue, 7 Mar 2023 07:09:49 +0000 (UTC) Received: from localhost.localdomain (ovpn-12-78.pek2.redhat.com [10.72.12.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id B2EC14010E36; Tue, 7 Mar 2023 07:09:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678172993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8XuobJq8nPtEfuy3ZbksC0txmPUzdbnbwE594wcEClc=; b=LL+KpOwZ2AtD+bjaCapmVEgJ9KklYps2qb1/XDDpkr5aaOzebzFjxWTqPhUf40PWkDjfkJ AU+rumPKYEQk2FbnrAfz2PM3lD6otZwFu7MNpCZV8phSHO/+dNS2aKN6R6GKXA0ZF6VypF g55rEysY227XCTDoREie/fj+nzNkehE= X-MC-Unique: fNi1KqHsPo-4xgcl1AmbYg-1 From: Jason Wang To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: Akihiko Odaki , Jason Wang Subject: [PULL 19/51] net: Check L4 header size Date: Tue, 7 Mar 2023 15:07:44 +0800 Message-Id: <20230307070816.34833-20-jasowang@redhat.com> In-Reply-To: <20230307070816.34833-1-jasowang@redhat.com> References: <20230307070816.34833-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1678173054961100008 Content-Type: text/plain; charset="utf-8" From: Akihiko Odaki net_tx_pkt_build_vheader() inspects TCP header but had no check for the header size, resulting in an undefined behavior. Check the header size and drop the packet if the header is too small. Signed-off-by: Akihiko Odaki Signed-off-by: Jason Wang --- hw/net/e1000e_core.c | 19 ++++++++++++++----- hw/net/net_tx_pkt.c | 13 ++++++++++--- hw/net/net_tx_pkt.h | 3 ++- hw/net/vmxnet3.c | 14 +++++++------- 4 files changed, 33 insertions(+), 16 deletions(-) diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index d143f2a..38d374f 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -629,23 +629,30 @@ e1000e_rss_parse_packet(E1000ECore *core, info->queue =3D E1000_RSS_QUEUE(&core->mac[RETA], info->hash); } =20 -static void +static bool e1000e_setup_tx_offloads(E1000ECore *core, struct e1000e_tx *tx) { if (tx->props.tse && tx->cptse) { - net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.ms= s)) { + return false; + } + net_tx_pkt_update_ip_checksums(tx->tx_pkt); e1000x_inc_reg_if_not_full(core->mac, TSCTC); - return; + return true; } =20 if (tx->sum_needed & E1000_TXD_POPTS_TXSM) { - net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0)) { + return false; + } } =20 if (tx->sum_needed & E1000_TXD_POPTS_IXSM) { net_tx_pkt_update_ip_hdr_checksum(tx->tx_pkt); } + + return true; } =20 static bool @@ -654,7 +661,9 @@ e1000e_tx_pkt_send(E1000ECore *core, struct e1000e_tx *= tx, int queue_index) int target_queue =3D MIN(core->max_queue_num, queue_index); NetClientState *queue =3D qemu_get_subqueue(core->owner_nic, target_qu= eue); =20 - e1000e_setup_tx_offloads(core, tx); + if (!e1000e_setup_tx_offloads(core, tx)) { + return false; + } =20 net_tx_pkt_dump(tx->tx_pkt); =20 diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 2533ea2..8a23899 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -304,10 +304,11 @@ func_exit: return rc; } =20 -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size) { struct tcp_hdr l4hdr; + size_t bytes_read; assert(pkt); =20 /* csum has to be enabled if tso is. */ @@ -328,8 +329,12 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bo= ol tso_enable, =20 case VIRTIO_NET_HDR_GSO_TCPV4: case VIRTIO_NET_HDR_GSO_TCPV6: - iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], pkt->payload_frags, - 0, &l4hdr, sizeof(l4hdr)); + bytes_read =3D iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], + pkt->payload_frags, 0, &l4hdr, sizeof(l4hd= r)); + if (bytes_read < sizeof(l4hdr)) { + return false; + } + pkt->virt_hdr.hdr_len =3D pkt->hdr_len + l4hdr.th_off * sizeof(uin= t32_t); pkt->virt_hdr.gso_size =3D gso_size; break; @@ -354,6 +359,8 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, boo= l tso_enable, break; } } + + return true; } =20 void net_tx_pkt_setup_vlan_header_ex(struct NetTxPkt *pkt, diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h index 4ec8bbe..2e38a5f 100644 --- a/hw/net/net_tx_pkt.h +++ b/hw/net/net_tx_pkt.h @@ -59,9 +59,10 @@ struct virtio_net_hdr *net_tx_pkt_get_vhdr(struct NetTxP= kt *pkt); * @tso_enable: TSO enabled * @csum_enable: CSO enabled * @gso_size: MSS size for TSO + * @ret: operation result * */ -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size); =20 /** diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index 56559cd..d7d492a 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -440,19 +440,19 @@ vmxnet3_setup_tx_offloads(VMXNET3State *s) { switch (s->offload_mode) { case VMXNET3_OM_NONE: - net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); =20 case VMXNET3_OM_CSUM: - net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); VMW_PKPRN("L4 CSO requested\n"); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); =20 case VMXNET3_OM_TSO: - net_tx_pkt_build_vheader(s->tx_pkt, true, true, - s->cso_or_gso_size); - net_tx_pkt_update_ip_checksums(s->tx_pkt); VMW_PKPRN("GSO offload requested."); + if (!net_tx_pkt_build_vheader(s->tx_pkt, true, true, + s->cso_or_gso_size)) { + return false; + } + net_tx_pkt_update_ip_checksums(s->tx_pkt); break; =20 default: --=20 2.7.4