diff mbox series

[for,3.1,1/4] net: drop too large packet early

Message ID 20181129031230.31082-2-jasowang@redhat.com (mailing list archive)
State New, archived
Headers show
Series Fix possible OOB during queuing packets | expand

Commit Message

Jason Wang Nov. 29, 2018, 3:12 a.m. UTC
We try to detect and drop too large packet (>INT_MAX) in 1592a9947036
("net: ignore packet size greater than INT_MAX") during packet
delivering. Unfortunately, this is not sufficient as we may hit
another integer overflow when trying to queue such large packet in
qemu_net_queue_append_iov():

- size of the allocation may overflow on 32bit
- packet->size is integer which may overflow even on 64bit

Fixing this by move the check to qemu_sendv_packet_async() which is
the entrance of all networking codes and reduce the limit to
NET_BUFSIZE to be more conservative.

Cc: qemu-stable@nongnu.org
Cc: Li Qiang <liq3ea@163.com>
Reported-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/net.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

Comments

Li Qiang Nov. 29, 2018, 3:43 a.m. UTC | #1
Jason Wang <jasowang@redhat.com> 于2018年11月29日周四 上午11:12写道:

> We try to detect and drop too large packet (>INT_MAX) in 1592a9947036
> ("net: ignore packet size greater than INT_MAX") during packet
> delivering. Unfortunately, this is not sufficient as we may hit
> another integer overflow when trying to queue such large packet in
> qemu_net_queue_append_iov():
>
> - size of the allocation may overflow on 32bit
> - packet->size is integer which may overflow even on 64bit
>
> Fixing this by move the check to qemu_sendv_packet_async() which is
> the entrance of all networking codes and reduce the limit to
> NET_BUFSIZE to be more conservative.
>
> Cc: qemu-stable@nongnu.org
> Cc: Li Qiang <liq3ea@163.com>
> Reported-by: Li Qiang <liq3ea@gmail.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
>

Looks ok to me.

Reviewed-by: Li Qiang <liq3ea@gmail.com>


> ---
>  net/net.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/net/net.c b/net/net.c
> index 07c194a8f6..affe1877cf 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -712,15 +712,11 @@ ssize_t qemu_deliver_packet_iov(NetClientState
> *sender,
>                                  void *opaque)
>  {
>      NetClientState *nc = opaque;
> -    size_t size = iov_size(iov, iovcnt);
>      int ret;
>
> -    if (size > INT_MAX) {
> -        return size;
> -    }
>
>      if (nc->link_down) {
> -        return size;
> +        return iov_size(iov, iovcnt);
>      }
>
>      if (nc->receive_disabled) {
> @@ -745,10 +741,15 @@ ssize_t qemu_sendv_packet_async(NetClientState
> *sender,
>                                  NetPacketSent *sent_cb)
>  {
>      NetQueue *queue;
> +    size_t size = iov_size(iov, iovcnt);
>      int ret;
>
> +    if (size > NET_BUFSIZE) {
> +        return size;
> +    }
> +
>      if (sender->link_down || !sender->peer) {
> -        return iov_size(iov, iovcnt);
> +        return size;
>      }
>
>      /* Let filters handle the packet first */
> --
> 2.17.1
>
>
diff mbox series

Patch

diff --git a/net/net.c b/net/net.c
index 07c194a8f6..affe1877cf 100644
--- a/net/net.c
+++ b/net/net.c
@@ -712,15 +712,11 @@  ssize_t qemu_deliver_packet_iov(NetClientState *sender,
                                 void *opaque)
 {
     NetClientState *nc = opaque;
-    size_t size = iov_size(iov, iovcnt);
     int ret;
 
-    if (size > INT_MAX) {
-        return size;
-    }
 
     if (nc->link_down) {
-        return size;
+        return iov_size(iov, iovcnt);
     }
 
     if (nc->receive_disabled) {
@@ -745,10 +741,15 @@  ssize_t qemu_sendv_packet_async(NetClientState *sender,
                                 NetPacketSent *sent_cb)
 {
     NetQueue *queue;
+    size_t size = iov_size(iov, iovcnt);
     int ret;
 
+    if (size > NET_BUFSIZE) {
+        return size;
+    }
+
     if (sender->link_down || !sender->peer) {
-        return iov_size(iov, iovcnt);
+        return size;
     }
 
     /* Let filters handle the packet first */