[Qemu-commits] [qemu/qemu] 39b8e7: rtl8139: avoid nested ifs in IP heade

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 39b8e7: rtl8139: avoid nested ifs in IP heade

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] 39b8e7: rtl8139: avoid nested ifs in IP header parsing (CV...
Date:	Mon, 03 Aug 2015 06:30:02 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 39b8e7dcaf04cbdb926b478f825b160d852752b5
      
https://github.com/qemu/qemu/commit/39b8e7dcaf04cbdb926b478f825b160d852752b5
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: d6812d60e7932de3cd0f602c0ee63dd3d09f1847
      
https://github.com/qemu/qemu/commit/d6812d60e7932de3cd0f602c0ee63dd3d09f1847
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)

The previous patch stopped using the ip pointer as an indicator that the
IP header is present.  When we reach the if (ip) {...} statement we know
ip is always non-NULL.

Remove the if statement to reduce nesting.

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: e1c120a9c54872f8a538ff9129d928de4e865cbd
      
https://github.com/qemu/qemu/commit/e1c120a9c54872f8a538ff9129d928de4e865cbd
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)

Transmit offload features access Ethernet and IP headers the packet.  If
the packet is too short we must not attempt to access header fields:

  int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
  ...
  eth_payload_data = saved_buffer + ETH_HLEN;
  ...
  ip = (ip_header*)eth_payload_data;
  if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 03247d43c577dfea8181cd40177ad5ba77c8db76
      
https://github.com/qemu/qemu/commit/03247d43c577dfea8181cd40177ad5ba77c8db76
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: check IP Header Length field (CVE-2015-5165)

The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: c6296ea88df040054ccd781f3945fe103f8c7c17
      
https://github.com/qemu/qemu/commit/c6296ea88df040054ccd781f3945fe103f8c7c17
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: check IP Total Length field (CVE-2015-5165)

The IP Total Length field includes the IP header and data.  Make sure it
is valid and does not exceed the Ethernet payload size.

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 4240be45632db7831129f124bcf53c1223825b0f
      
https://github.com/qemu/qemu/commit/4240be45632db7831129f124bcf53c1223825b0f
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: skip offload on short TCP header (CVE-2015-5165)

TCP Large Segment Offload accesses the TCP header in the packet.  If the
packet is too short we must not attempt to access header fields:

  tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
  int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 8357946b15f0a31f73dd691b7da95f29318ed310
      
https://github.com/qemu/qemu/commit/8357946b15f0a31f73dd691b7da95f29318ed310
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  rtl8139: check TCP Data Offset field (CVE-2015-5165)

The TCP Data Offset field contains the length of the header.  Make sure
it is valid and does not exceed the IP data length.

Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
      
https://github.com/qemu/qemu/commit/2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
  Author: Peter Maydell <address@hidden>
  Date:   2015-08-03 (Mon, 03 Aug 2015)

  Changed paths:
    M hw/net/rtl8139.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request' into 
staging

Pull request

# gpg: Signature made Mon Aug  3 13:08:25 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <address@hidden>"
# gpg:                 aka "Stefan Hajnoczi <address@hidden>"

* remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request:
  rtl8139: check TCP Data Offset field (CVE-2015-5165)
  rtl8139: skip offload on short TCP header (CVE-2015-5165)
  rtl8139: check IP Total Length field (CVE-2015-5165)
  rtl8139: check IP Header Length field (CVE-2015-5165)
  rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
  rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
  rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/bd80b5963f58...2a3612ccc1fa

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] 39b8e7: rtl8139: avoid nested ifs in IP header parsing (CV..., GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] e72c4f: tcg/mips: fix TLB loading for BE host with 32-bit ...
Next by Date: [Qemu-commits] [qemu/qemu] f60c87: configure: Drop vnc-ws feature from help text
Previous by thread: [Qemu-commits] [qemu/qemu] e72c4f: tcg/mips: fix TLB loading for BE host with 32-bit ...
Next by thread: [Qemu-commits] [qemu/qemu] f60c87: configure: Drop vnc-ws feature from help text
Index(es):
- Date
- Thread