From nobody Fri Dec 19 21:47:34 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1678441433; cv=none; d=zohomail.com; s=zohoarc; b=X1fZSYZqkpg/IZjCT7wauo+IsfDtYj7AbKZcA303VaLZEnw5kzgefgh/wBOOF1VnLbC/2es4j7LMr7qcGbL2PDZrf7TZCvni4G6vEGpRRve20nhJnOkBNCv6JIRC+eA2Q27V+IQncMawbvaIwro1OJO23LgkntrgwesakIJpNIE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678441433; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8XuobJq8nPtEfuy3ZbksC0txmPUzdbnbwE594wcEClc=; b=hpCX4wkmXvzrKlZi5hauWuNIlhNPv6wxHP5fr4wAP1pzrrgyLnJP5DvFHSJAPaEx6PKi/yFCbyiEGmFJXj8UySmtE3HrWYOUfoFqT/QfvhEONjURdpslqjEOIRaJr8noSkrx0JGgVzjJjvr+f8vmOZs+5q9anp2aJuS+b8KGjR4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1678441433753666.5135980989247; Fri, 10 Mar 2023 01:43:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1paZAv-0003by-U2; Fri, 10 Mar 2023 04:36:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1paZAs-0003Nm-GA for qemu-devel@nongnu.org; Fri, 10 Mar 2023 04:36:30 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1paZAp-0008N9-2p for qemu-devel@nongnu.org; Fri, 10 Mar 2023 04:36:29 -0500 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-592-8caIpH78NIqdMCDEiL9FdA-1; Fri, 10 Mar 2023 04:36:23 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ECFED3C0DDCC; Fri, 10 Mar 2023 09:36:22 +0000 (UTC) Received: from localhost.localdomain (ovpn-12-41.pek2.redhat.com [10.72.12.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5C50540C1106; Fri, 10 Mar 2023 09:36:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678440986; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8XuobJq8nPtEfuy3ZbksC0txmPUzdbnbwE594wcEClc=; b=iRbAP83W6MeBHNbv0zguKmlhT0XkLYV9QfiXiNUlFNgnWzI0hCVF86TzUnf7t0Ififd3VJ MrOkIRRTquLG9xIT7DAKXCZw0M7iQH5O+fNUyDmYctMU2W+I7UBuaf7R2Pl4VOVuXTnCB0 HpGElMRIArYrf+ArdnDfDLhqNHFvfus= X-MC-Unique: 8caIpH78NIqdMCDEiL9FdA-1 From: Jason Wang To: qemu-devel@nongnu.org, peter.maydell@linaro.org Cc: Akihiko Odaki , Jason Wang Subject: [PULL V2 19/44] net: Check L4 header size Date: Fri, 10 Mar 2023 17:35:01 +0800 Message-Id: <20230310093526.30828-20-jasowang@redhat.com> In-Reply-To: <20230310093526.30828-1-jasowang@redhat.com> References: <20230310093526.30828-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1678441434701100027 Content-Type: text/plain; charset="utf-8" From: Akihiko Odaki net_tx_pkt_build_vheader() inspects TCP header but had no check for the header size, resulting in an undefined behavior. Check the header size and drop the packet if the header is too small. Signed-off-by: Akihiko Odaki Signed-off-by: Jason Wang --- hw/net/e1000e_core.c | 19 ++++++++++++++----- hw/net/net_tx_pkt.c | 13 ++++++++++--- hw/net/net_tx_pkt.h | 3 ++- hw/net/vmxnet3.c | 14 +++++++------- 4 files changed, 33 insertions(+), 16 deletions(-) diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index d143f2a..38d374f 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -629,23 +629,30 @@ e1000e_rss_parse_packet(E1000ECore *core, info->queue =3D E1000_RSS_QUEUE(&core->mac[RETA], info->hash); } =20 -static void +static bool e1000e_setup_tx_offloads(E1000ECore *core, struct e1000e_tx *tx) { if (tx->props.tse && tx->cptse) { - net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.ms= s)) { + return false; + } + net_tx_pkt_update_ip_checksums(tx->tx_pkt); e1000x_inc_reg_if_not_full(core->mac, TSCTC); - return; + return true; } =20 if (tx->sum_needed & E1000_TXD_POPTS_TXSM) { - net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0)) { + return false; + } } =20 if (tx->sum_needed & E1000_TXD_POPTS_IXSM) { net_tx_pkt_update_ip_hdr_checksum(tx->tx_pkt); } + + return true; } =20 static bool @@ -654,7 +661,9 @@ e1000e_tx_pkt_send(E1000ECore *core, struct e1000e_tx *= tx, int queue_index) int target_queue =3D MIN(core->max_queue_num, queue_index); NetClientState *queue =3D qemu_get_subqueue(core->owner_nic, target_qu= eue); =20 - e1000e_setup_tx_offloads(core, tx); + if (!e1000e_setup_tx_offloads(core, tx)) { + return false; + } =20 net_tx_pkt_dump(tx->tx_pkt); =20 diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 2533ea2..8a23899 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -304,10 +304,11 @@ func_exit: return rc; } =20 -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size) { struct tcp_hdr l4hdr; + size_t bytes_read; assert(pkt); =20 /* csum has to be enabled if tso is. */ @@ -328,8 +329,12 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bo= ol tso_enable, =20 case VIRTIO_NET_HDR_GSO_TCPV4: case VIRTIO_NET_HDR_GSO_TCPV6: - iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], pkt->payload_frags, - 0, &l4hdr, sizeof(l4hdr)); + bytes_read =3D iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], + pkt->payload_frags, 0, &l4hdr, sizeof(l4hd= r)); + if (bytes_read < sizeof(l4hdr)) { + return false; + } + pkt->virt_hdr.hdr_len =3D pkt->hdr_len + l4hdr.th_off * sizeof(uin= t32_t); pkt->virt_hdr.gso_size =3D gso_size; break; @@ -354,6 +359,8 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, boo= l tso_enable, break; } } + + return true; } =20 void net_tx_pkt_setup_vlan_header_ex(struct NetTxPkt *pkt, diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h index 4ec8bbe..2e38a5f 100644 --- a/hw/net/net_tx_pkt.h +++ b/hw/net/net_tx_pkt.h @@ -59,9 +59,10 @@ struct virtio_net_hdr *net_tx_pkt_get_vhdr(struct NetTxP= kt *pkt); * @tso_enable: TSO enabled * @csum_enable: CSO enabled * @gso_size: MSS size for TSO + * @ret: operation result * */ -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size); =20 /** diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index 56559cd..d7d492a 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -440,19 +440,19 @@ vmxnet3_setup_tx_offloads(VMXNET3State *s) { switch (s->offload_mode) { case VMXNET3_OM_NONE: - net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); =20 case VMXNET3_OM_CSUM: - net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); VMW_PKPRN("L4 CSO requested\n"); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); =20 case VMXNET3_OM_TSO: - net_tx_pkt_build_vheader(s->tx_pkt, true, true, - s->cso_or_gso_size); - net_tx_pkt_update_ip_checksums(s->tx_pkt); VMW_PKPRN("GSO offload requested."); + if (!net_tx_pkt_build_vheader(s->tx_pkt, true, true, + s->cso_or_gso_size)) { + return false; + } + net_tx_pkt_update_ip_checksums(s->tx_pkt); break; =20 default: --=20 2.7.4