From: Jason Wang <jasowang@redhat.com>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Cc: Dmitry Fleytman <dmitry@daynix.com>,
qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com>
Subject: [Qemu-devel] [PULL RESEND 03/19] NetRxPkt: Fix memory corruption on VLAN header stripping
Date: Mon, 6 Mar 2017 13:25:38 +0800 [thread overview]
Message-ID: <1488777954-4578-4-git-send-email-jasowang@redhat.com> (raw)
In-Reply-To: <1488777954-4578-1-git-send-email-jasowang@redhat.com>
From: Dmitry Fleytman <dmitry@daynix.com>
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 7f928d7..3361d7e 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@
struct NetRxPkt {
struct virtio_net_hdr virt_hdr;
- uint8_t ehdr_buf[sizeof(struct eth_header)];
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec;
uint16_t vec_len_total;
uint16_t vec_len;
uint32_t tot_len;
uint16_t tci;
- bool vlan_stripped;
+ size_t ehdr_buf_len;
bool has_virt_hdr;
eth_pkt_types_e packet_type;
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt,
size_t ploff)
{
- if (pkt->vlan_stripped) {
+ if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf;
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
-
- pkt->tot_len =
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len);
} else {
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
- pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
+ pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -161,8 +161,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
#ifdef NET_RX_PKT_DEBUG
assert(pkt);
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif
}
@@ -425,7 +425,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{
assert(pkt);
- return pkt->vlan_stripped;
+ return pkt->ehdr_buf_len ? true : false;
}
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--
2.7.4
next prev parent reply other threads:[~2017-03-06 5:26 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 5:25 [Qemu-devel] [PULL RESEND 00/19] Net patches Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 01/19] net: Remove useless local var pkt Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 02/19] eth: Extend vlan stripping functions Jason Wang
2017-03-06 5:25 ` Jason Wang [this message]
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 04/19] NetRxPkt: Do not try to pull more data than present Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 05/19] NetRxPkt: Account buffer with ETH header in IOV length Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 06/19] NetRxPkt: Remove code duplication in net_rx_pkt_pull_data() Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 07/19] colo-compare: use g_timeout_source_new() to process the stale packets Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 08/19] colo-compare: kick compare thread to exit after some cleanup in finalization Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 09/19] char: remove the right fd been watched in qemu_chr_fe_set_handlers() Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 10/19] colo-compare: Fix removing fds been watched incorrectly in finalization Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 11/19] net/colo-compare: Fix memory free error Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 12/19] vmxnet3: Convert ring values to uint32_t's Jason Wang
2017-03-13 20:20 ` Laurent Vivier
2017-03-14 11:16 ` Dr. David Alan Gilbert
2017-03-14 11:29 ` Laurent Vivier
2017-03-14 11:38 ` Dr. David Alan Gilbert
2017-03-14 11:47 ` Laurent Vivier
2017-03-14 12:32 ` Dr. David Alan Gilbert
2017-03-14 12:42 ` Laurent Vivier
2017-03-14 12:44 ` Dr. David Alan Gilbert
2017-03-14 13:31 ` Dr. David Alan Gilbert
2017-03-14 13:42 ` Laurent Vivier
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 13/19] vmxnet3: VMStatify rx/tx q_descr and int_state Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 14/19] net/colo: fix memory double free error Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 15/19] filter-rewriter: skip net_checksum_calculate() while offset = 0 Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 16/19] COLO-compare: Rename compare function and remove duplicate codes Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 17/19] COLO-compare: Optimize compare_common and compare_tcp Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 18/19] COLO-compare: Fix icmp and udp compare different packet always dump bug Jason Wang
2017-03-06 5:25 ` [Qemu-devel] [PULL RESEND 19/19] net/filter-mirror: Follow CODING_STYLE Jason Wang
2017-03-07 7:31 ` [Qemu-devel] [PULL RESEND 00/19] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488777954-4578-4-git-send-email-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=dmitry@daynix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.