From patchwork Thu Feb 16 12:29:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Fleytman X-Patchwork-Id: 728603 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vPFxH65ckz9s7p for ; Thu, 16 Feb 2017 23:35:31 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=daynix-com.20150623.gappssmtp.com header.i=@daynix-com.20150623.gappssmtp.com header.b="xiO2ISr/"; dkim-atps=neutral Received: from localhost ([::1]:46147 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceLHV-0008Bx-7b for incoming@patchwork.ozlabs.org; Thu, 16 Feb 2017 07:35:29 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47633) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceLCN-0003BM-Il for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceLCK-0007uM-Fc for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:11 -0500 Received: from mail-wr0-x244.google.com ([2a00:1450:400c:c0c::244]:32792) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ceLCK-0007td-9s for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:08 -0500 Received: by mail-wr0-x244.google.com with SMTP id i10so1881442wrb.0 for ; Thu, 16 Feb 2017 04:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daynix-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=RsxC5F76me4wK5EDizeUV3Sjei4uNLSQWKP08LxgAWs=; b=xiO2ISr/v1/8XHsS7GuI0QQaDD7jCervefioqh15b0+1PcbigXWTVB1Fukt7xGjBIf 4Ld0GDsAylJGQX7yG2L8CDezmqesKVr9/45tEEFUy8Bcli5GPuez/3iHV6bhGEPuKYFK H+QFnxuqxz7fU7wsmKf/r+uJtsxroDfpsVJbrWRtaC0t6pvWx5RcMM6Qv+yEg4LKKdDZ vAFxOyURhJRgkPZ/k57XBFaHaNzIY6ktiypt3DfrINUIj7TxTmwhMI2z8zBdviVLVlqD BuIBkU6p7oSuVMTZQLr+DxHmbxODC9hxey6D2GTCaHLsMtn9Fcjm/XyY/ronhJ78Fd0w Z+hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=RsxC5F76me4wK5EDizeUV3Sjei4uNLSQWKP08LxgAWs=; b=mzhVV8ErYIa+rqaUCrQY/ZvmNr0n4zE69HWHmnKvG35U2w5iE1PzKluvq00bgV40dG 9pkkW7OpNsa1HRHKotMMOAjBqe+/zq1UPSs7ZycWmL8JloYohm8B5665DKiajhZocj0g 9toN5sBdneyO7i5JwaFyV8WsTcWxJc06IYQeb6BrymKTLApePyWdEIlQW4oxOcXFWfzy oZoLreQaqqTJeYy3cLDze+F8hOF+9uNuvsofgkLQ5k62kQD7sVMsqhoykarMsAhd0Swz CJAfY2kD9h9R+h+sK3pBGuxOMAz5X4jkZR8T7C95a3npDRAHR4BBp/fkjsc7R1iRvV/F NFbA== X-Gm-Message-State: AMke39loMNZMaVfYg9ygPyYocN07M11st9JmDMlPTLlbjjSPHhRDAaKGiCFdCRS+dMiRQQ== X-Received: by 10.223.133.68 with SMTP id 62mr2049345wrh.195.1487248207243; Thu, 16 Feb 2017 04:30:07 -0800 (PST) Received: from bark.daynix ([141.226.163.173]) by smtp.gmail.com with ESMTPSA id b51sm8827365wrd.39.2017.02.16.04.30.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2017 04:30:06 -0800 (PST) From: Dmitry Fleytman To: qemu-devel@nongnu.org Date: Thu, 16 Feb 2017 14:29:33 +0200 Message-Id: <1487248176-29602-3-git-send-email-dmitry@daynix.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487248176-29602-1-git-send-email-dmitry@daynix.com> References: <1487248176-29602-1-git-send-email-dmitry@daynix.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c0c::244 Subject: [Qemu-devel] [PATCH 2/5] NetRxPkt: Fix memory corruption on VLAN header stripping X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Yan Vugenfirer , Dmitry Fleytman , Jason Wang , P J P Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" This patch fixed a problem that was introduced in commit eb700029. When net_rx_pkt_attach_iovec() calls eth_strip_vlan() this can result in pkt->ehdr_buf being overflowed, because ehdr_buf is only sizeof(struct eth_header) bytes large but eth_strip_vlan() can write sizeof(struct eth_header) + sizeof(struct vlan_header) bytes into it. Devices affected by this problem: vmxnet3. Reported-by: Peter Maydell Signed-off-by: Dmitry Fleytman --- hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 1019b50..7c0beac 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -23,13 +23,13 @@ struct NetRxPkt { struct virtio_net_hdr virt_hdr; - uint8_t ehdr_buf[sizeof(struct eth_header)]; + uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; struct iovec *vec; uint16_t vec_len_total; uint16_t vec_len; uint32_t tot_len; uint16_t tci; - bool vlan_stripped; + size_t ehdr_buf_len; bool has_virt_hdr; eth_pkt_types_e packet_type; @@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, const struct iovec *iov, int iovcnt, size_t ploff) { - if (pkt->vlan_stripped) { + if (pkt->ehdr_buf_len) { net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); pkt->vec[0].iov_base = pkt->ehdr_buf; - pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); - - pkt->tot_len = - iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); + pkt->vec[0].iov_len = pkt->ehdr_buf_len; + pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, iov, iovcnt, ploff, pkt->tot_len); } else { @@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, - pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, + pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) NetRxPkt *pkt = (NetRxPkt *)pkt; assert(pkt); - printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", - pkt->tot_len, pkt->vlan_stripped, pkt->tci); + printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", + pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); #endif } @@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) { assert(pkt); - return pkt->vlan_stripped; + return pkt->ehdr_buf_len ? true : false; } bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)