net/tap.c | 5 +++++ 1 file changed, 5 insertions(+)
Theoretically tap_read_packet() may return size less than
s->host_vnet_hdr_len, and next, we'll work with negative size
(in case of !s->using_vnet_hdr). Let's avoid it.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
---
net/tap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/tap.c b/net/tap.c
index ae1c7e39832..20d0dc2eb35 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -172,6 +172,11 @@ static void tap_send(void *opaque)
break;
}
+ if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
+ /* Invalid packet */
+ break;
+ }
+
if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
buf += s->host_vnet_hdr_len;
size -= s->host_vnet_hdr_len;
--
2.48.1On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
> Theoretically tap_read_packet() may return size less than
> s->host_vnet_hdr_len, and next, we'll work with negative size
> (in case of !s->using_vnet_hdr). Let's avoid it.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> ---
> net/tap.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/tap.c b/net/tap.c
> index ae1c7e39832..20d0dc2eb35 100644
> --- a/net/tap.c
> +++ b/net/tap.c
> @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
> break;
> }
>
> + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
> + /* Invalid packet */
> + break;
> + }
> +
> if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
> buf += s->host_vnet_hdr_len;
> size -= s->host_vnet_hdr_len;
Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
<d-tatianin@yandex-team.ru> wrote:
>
> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
>
> > Theoretically tap_read_packet() may return size less than
> > s->host_vnet_hdr_len, and next, we'll work with negative size
> > (in case of !s->using_vnet_hdr). Let's avoid it.
> >
> > Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> > ---
> > net/tap.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/tap.c b/net/tap.c
> > index ae1c7e39832..20d0dc2eb35 100644
> > --- a/net/tap.c
> > +++ b/net/tap.c
> > @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
> > break;
> > }
> >
> > + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
> > + /* Invalid packet */
> > + break;
> > + }
> > +
> > if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
> > buf += s->host_vnet_hdr_len;
> > size -= s->host_vnet_hdr_len;
>
> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Queued.
Thanks
>
>
On 07.07.25 06:49, Jason Wang wrote:
> On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
> <d-tatianin@yandex-team.ru> wrote:
>>
>> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
>>
>>> Theoretically tap_read_packet() may return size less than
>>> s->host_vnet_hdr_len, and next, we'll work with negative size
>>> (in case of !s->using_vnet_hdr). Let's avoid it.
>>>
>>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
>>> ---
>>> net/tap.c | 5 +++++
>>> 1 file changed, 5 insertions(+)
>>>
>>> diff --git a/net/tap.c b/net/tap.c
>>> index ae1c7e39832..20d0dc2eb35 100644
>>> --- a/net/tap.c
>>> +++ b/net/tap.c
>>> @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
>>> break;
>>> }
>>>
>>> + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
Should it be better to s/</<=/ here? To skip size == s->host_vnet_hdr_len as well?
>>> + /* Invalid packet */
>>> + break;
>>> + }
>>> +
>>> if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
>>> buf += s->host_vnet_hdr_len;
>>> size -= s->host_vnet_hdr_len;
>>
>> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
>
> Queued.
>
> Thanks
>
>>
>>
>
--
Best regards,
Vladimir
On Wed, Jul 9, 2025 at 10:43 PM Vladimir Sementsov-Ogievskiy
<vsementsov@yandex-team.ru> wrote:
>
> On 07.07.25 06:49, Jason Wang wrote:
> > On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
> > <d-tatianin@yandex-team.ru> wrote:
> >>
> >> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
> >>
> >>> Theoretically tap_read_packet() may return size less than
> >>> s->host_vnet_hdr_len, and next, we'll work with negative size
> >>> (in case of !s->using_vnet_hdr). Let's avoid it.
> >>>
> >>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> >>> ---
> >>> net/tap.c | 5 +++++
> >>> 1 file changed, 5 insertions(+)
> >>>
> >>> diff --git a/net/tap.c b/net/tap.c
> >>> index ae1c7e39832..20d0dc2eb35 100644
> >>> --- a/net/tap.c
> >>> +++ b/net/tap.c
> >>> @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
> >>> break;
> >>> }
> >>>
> >>> + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
>
> Should it be better to s/</<=/ here? To skip size == s->host_vnet_hdr_len as well?
It would be better.
Thanks
>
> >>> + /* Invalid packet */
> >>> + break;
> >>> + }
> >>> +
> >>> if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
> >>> buf += s->host_vnet_hdr_len;
> >>> size -= s->host_vnet_hdr_len;
> >>
> >> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
> >
> > Queued.
> >
> > Thanks
> >
> >>
> >>
> >
>
> --
> Best regards,
> Vladimir
>
On 14.07.25 05:12, Jason Wang wrote:
> On Wed, Jul 9, 2025 at 10:43 PM Vladimir Sementsov-Ogievskiy
> <vsementsov@yandex-team.ru> wrote:
>>
>> On 07.07.25 06:49, Jason Wang wrote:
>>> On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
>>> <d-tatianin@yandex-team.ru> wrote:
>>>>
>>>> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
>>>>
>>>>> Theoretically tap_read_packet() may return size less than
>>>>> s->host_vnet_hdr_len, and next, we'll work with negative size
>>>>> (in case of !s->using_vnet_hdr). Let's avoid it.
>>>>>
>>>>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
>>>>> ---
>>>>> net/tap.c | 5 +++++
>>>>> 1 file changed, 5 insertions(+)
>>>>>
>>>>> diff --git a/net/tap.c b/net/tap.c
>>>>> index ae1c7e39832..20d0dc2eb35 100644
>>>>> --- a/net/tap.c
>>>>> +++ b/net/tap.c
>>>>> @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
>>>>> break;
>>>>> }
>>>>>
>>>>> + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
>>
>> Should it be better to s/</<=/ here? To skip size == s->host_vnet_hdr_len as well?
>
> It would be better.
>
> Thanks
Could you apply it in your branch? Or I can resend, if it is more convenient.
>
>>
>>>>> + /* Invalid packet */
>>>>> + break;
>>>>> + }
>>>>> +
>>>>> if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
>>>>> buf += s->host_vnet_hdr_len;
>>>>> size -= s->host_vnet_hdr_len;
>>>>
>>>> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
>>>
>>> Queued.
>>>
>>> Thanks
>>>
>>>>
>>>>
>>>
>>
>> --
>> Best regards,
>> Vladimir
>>
>
--
Best regards,
Vladimir
On Tue, Jul 15, 2025 at 10:59 PM Vladimir Sementsov-Ogievskiy
<vsementsov@yandex-team.ru> wrote:
>
> On 14.07.25 05:12, Jason Wang wrote:
> > On Wed, Jul 9, 2025 at 10:43 PM Vladimir Sementsov-Ogievskiy
> > <vsementsov@yandex-team.ru> wrote:
> >>
> >> On 07.07.25 06:49, Jason Wang wrote:
> >>> On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
> >>> <d-tatianin@yandex-team.ru> wrote:
> >>>>
> >>>> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
> >>>>
> >>>>> Theoretically tap_read_packet() may return size less than
> >>>>> s->host_vnet_hdr_len, and next, we'll work with negative size
> >>>>> (in case of !s->using_vnet_hdr). Let's avoid it.
> >>>>>
> >>>>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> >>>>> ---
> >>>>> net/tap.c | 5 +++++
> >>>>> 1 file changed, 5 insertions(+)
> >>>>>
> >>>>> diff --git a/net/tap.c b/net/tap.c
> >>>>> index ae1c7e39832..20d0dc2eb35 100644
> >>>>> --- a/net/tap.c
> >>>>> +++ b/net/tap.c
> >>>>> @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
> >>>>> break;
> >>>>> }
> >>>>>
> >>>>> + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
> >>
> >> Should it be better to s/</<=/ here? To skip size == s->host_vnet_hdr_len as well?
> >
> > It would be better.
> >
> > Thanks
>
> Could you apply it in your branch? Or I can resend, if it is more convenient.
Please resend.
Thanks
>
> >
> >>
> >>>>> + /* Invalid packet */
> >>>>> + break;
> >>>>> + }
> >>>>> +
> >>>>> if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
> >>>>> buf += s->host_vnet_hdr_len;
> >>>>> size -= s->host_vnet_hdr_len;
> >>>>
> >>>> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
> >>>
> >>> Queued.
> >>>
> >>> Thanks
> >>>
> >>>>
> >>>>
> >>>
> >>
> >> --
> >> Best regards,
> >> Vladimir
> >>
> >
>
> --
> Best regards,
> Vladimir
>
I tested this patch with virtio-net regression tests, everything works fine.
Tested-by: Lei Yang <leiyang@redhat.com>
On Thu, Jul 3, 2025 at 10:59 PM Daniil Tatianin
<d-tatianin@yandex-team.ru> wrote:
>
> On 7/3/25 1:55 PM, Vladimir Sementsov-Ogievskiy wrote:
>
> > Theoretically tap_read_packet() may return size less than
> > s->host_vnet_hdr_len, and next, we'll work with negative size
> > (in case of !s->using_vnet_hdr). Let's avoid it.
> >
> > Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
> > ---
> > net/tap.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/tap.c b/net/tap.c
> > index ae1c7e39832..20d0dc2eb35 100644
> > --- a/net/tap.c
> > +++ b/net/tap.c
> > @@ -172,6 +172,11 @@ static void tap_send(void *opaque)
> > break;
> > }
> >
> > + if (s->host_vnet_hdr_len && size < s->host_vnet_hdr_len) {
> > + /* Invalid packet */
> > + break;
> > + }
> > +
> > if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
> > buf += s->host_vnet_hdr_len;
> > size -= s->host_vnet_hdr_len;
>
> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
>
>
© 2016 - 2025 Red Hat, Inc.