qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] net: check payload length limit for all frames

From: Li Qiang
Subject: Re: [PATCH] net: check payload length limit for all frames
Date: Fri, 17 Jul 2020 08:53:42 +0800 
P J P <ppandit@redhat.com> 于2020年7月17日周五 上午3:26写道:
>
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While sending packets, the check that packet 'payload_len'
> is within 64kB limit, seems to happen only for GSO frames.
> It may lead to use-after-free or out-of-bounds access like
> issues when sending non-GSO frames. Check the 'payload_len'
> limit for all packets, irrespective of the gso type.
>

Hello Prasad,
Which issue are you trying to solve, any reference linking?

I also send a patch related this part and also a UAF.

Thanks,
Li Qiang

> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/net_tx_pkt.c | 10 ++++------
>  1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> index 162f802dd7..e66998a8f9 100644
> --- a/hw/net/net_tx_pkt.c
> +++ b/hw/net/net_tx_pkt.c
> @@ -607,12 +607,10 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, 
> NetClientState *nc)
>       * Since underlying infrastructure does not support IP datagrams longer
>       * than 64K we should drop such packets and don't even try to send
>       */
> -    if (VIRTIO_NET_HDR_GSO_NONE != pkt->virt_hdr.gso_type) {
> -        if (pkt->payload_len >
> -            ETH_MAX_IP_DGRAM_LEN -
> -            pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> -            return false;
> -        }
> +    if (pkt->payload_len >
> +        ETH_MAX_IP_DGRAM_LEN -
> +        pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> +        return false;
>      }
>
>      if (pkt->has_virt_hdr ||
> --
> 2.26.2
>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]