| Message ID | 20181129031230.31082-2-jasowang@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix possible OOB during queuing packets | expand |
Jason Wang <jasowang@redhat.com> 于2018年11月29日周四 上午11:12写道: > We try to detect and drop too large packet (>INT_MAX) in 1592a9947036 > ("net: ignore packet size greater than INT_MAX") during packet > delivering. Unfortunately, this is not sufficient as we may hit > another integer overflow when trying to queue such large packet in > qemu_net_queue_append_iov(): > > - size of the allocation may overflow on 32bit > - packet->size is integer which may overflow even on 64bit > > Fixing this by move the check to qemu_sendv_packet_async() which is > the entrance of all networking codes and reduce the limit to > NET_BUFSIZE to be more conservative. > > Cc: qemu-stable@nongnu.org > Cc: Li Qiang <liq3ea@163.com> > Reported-by: Li Qiang <liq3ea@gmail.com> > Signed-off-by: Jason Wang <jasowang@redhat.com> > Looks ok to me. Reviewed-by: Li Qiang <liq3ea@gmail.com> > --- > net/net.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/net/net.c b/net/net.c > index 07c194a8f6..affe1877cf 100644 > --- a/net/net.c > +++ b/net/net.c > @@ -712,15 +712,11 @@ ssize_t qemu_deliver_packet_iov(NetClientState > *sender, > void *opaque) > { > NetClientState *nc = opaque; > - size_t size = iov_size(iov, iovcnt); > int ret; > > - if (size > INT_MAX) { > - return size; > - } > > if (nc->link_down) { > - return size; > + return iov_size(iov, iovcnt); > } > > if (nc->receive_disabled) { > @@ -745,10 +741,15 @@ ssize_t qemu_sendv_packet_async(NetClientState > *sender, > NetPacketSent *sent_cb) > { > NetQueue *queue; > + size_t size = iov_size(iov, iovcnt); > int ret; > > + if (size > NET_BUFSIZE) { > + return size; > + } > + > if (sender->link_down || !sender->peer) { > - return iov_size(iov, iovcnt); > + return size; > } > > /* Let filters handle the packet first */ > -- > 2.17.1 > >
diff --git a/net/net.c b/net/net.c index 07c194a8f6..affe1877cf 100644 --- a/net/net.c +++ b/net/net.c @@ -712,15 +712,11 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender, void *opaque) { NetClientState *nc = opaque; - size_t size = iov_size(iov, iovcnt); int ret; - if (size > INT_MAX) { - return size; - } if (nc->link_down) { - return size; + return iov_size(iov, iovcnt); } if (nc->receive_disabled) { @@ -745,10 +741,15 @@ ssize_t qemu_sendv_packet_async(NetClientState *sender, NetPacketSent *sent_cb) { NetQueue *queue; + size_t size = iov_size(iov, iovcnt); int ret; + if (size > NET_BUFSIZE) { + return size; + } + if (sender->link_down || !sender->peer) { - return iov_size(iov, iovcnt); + return size; } /* Let filters handle the packet first */
We try to detect and drop too large packet (>INT_MAX) in 1592a9947036 ("net: ignore packet size greater than INT_MAX") during packet delivering. Unfortunately, this is not sufficient as we may hit another integer overflow when trying to queue such large packet in qemu_net_queue_append_iov(): - size of the allocation may overflow on 32bit - packet->size is integer which may overflow even on 64bit Fixing this by move the check to qemu_sendv_packet_async() which is the entrance of all networking codes and reduce the limit to NET_BUFSIZE to be more conservative. Cc: qemu-stable@nongnu.org Cc: Li Qiang <liq3ea@163.com> Reported-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com> --- net/net.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)