| Message ID | 20180925072327.24055-5-jasowang@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix buffer overflow for packet greater than INT_MAX | expand |
On Tue, Sep 25, 2018 at 03:23:27PM +0800, Jason Wang wrote: > There should not be a reason for passing a packet size greater than > INT_MAX. It's usually a hint of bug somewhere, so ignore packet size > greater than INT_MAX in qemu_deliver_packet_iov() > > CC: qemu-stable@nongnu.org > Reported-by: Daniel Shapira <daniel@twistlock.com> > Signed-off-by: Jason Wang <jasowang@redhat.com> > --- > net/net.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/net.c b/net/net.c > index fd8efebfdb..df216e3811 100644 > --- a/net/net.c > +++ b/net/net.c > @@ -712,10 +712,15 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender, > void *opaque) > { > NetClientState *nc = opaque; > + size_t size = iov_size(iov, iovcnt); > int ret; > This adds a useless iov scan on the good path. Can't be good for performance... > + if (size > INT_MAX) { > + return size; > + } > + > if (nc->link_down) { > - return iov_size(iov, iovcnt); > + return size; > } > > if (nc->receive_disabled) { > -- > 2.17.1
On 2018年09月25日 22:15, Michael S. Tsirkin wrote: > On Tue, Sep 25, 2018 at 03:23:27PM +0800, Jason Wang wrote: >> There should not be a reason for passing a packet size greater than >> INT_MAX. It's usually a hint of bug somewhere, so ignore packet size >> greater than INT_MAX in qemu_deliver_packet_iov() >> >> CC: qemu-stable@nongnu.org >> Reported-by: Daniel Shapira <daniel@twistlock.com> >> Signed-off-by: Jason Wang <jasowang@redhat.com> >> --- >> net/net.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/net/net.c b/net/net.c >> index fd8efebfdb..df216e3811 100644 >> --- a/net/net.c >> +++ b/net/net.c >> @@ -712,10 +712,15 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender, >> void *opaque) >> { >> NetClientState *nc = opaque; >> + size_t size = iov_size(iov, iovcnt); >> int ret; >> > This adds a useless iov scan on the good path. > Can't be good for performance... Yes, will consider some optimization in the future. Thanks >> + if (size > INT_MAX) { >> + return size; >> + } >> + >> if (nc->link_down) { >> - return iov_size(iov, iovcnt); >> + return size; >> } >> >> if (nc->receive_disabled) { >> -- >> 2.17.1
diff --git a/net/net.c b/net/net.c index fd8efebfdb..df216e3811 100644 --- a/net/net.c +++ b/net/net.c @@ -712,10 +712,15 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender, void *opaque) { NetClientState *nc = opaque; + size_t size = iov_size(iov, iovcnt); int ret; + if (size > INT_MAX) { + return size; + } + if (nc->link_down) { - return iov_size(iov, iovcnt); + return size; } if (nc->receive_disabled) {
There should not be a reason for passing a packet size greater than INT_MAX. It's usually a hint of bug somewhere, so ignore packet size greater than INT_MAX in qemu_deliver_packet_iov() CC: qemu-stable@nongnu.org Reported-by: Daniel Shapira <daniel@twistlock.com> Signed-off-by: Jason Wang <jasowang@redhat.com> --- net/net.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)