From patchwork Tue Jan 24 04:31:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akihiko Odaki X-Patchwork-Id: 13113425 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 42954C38142 for ; Tue, 24 Jan 2023 04:37:59 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pKAzL-0002vr-Hs; Mon, 23 Jan 2023 23:32:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pKAzK-0002vD-In for qemu-devel@nongnu.org; Mon, 23 Jan 2023 23:32:50 -0500 Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pKAzI-0002OV-Ta for qemu-devel@nongnu.org; Mon, 23 Jan 2023 23:32:50 -0500 Received: by mail-pj1-x1036.google.com with SMTP id h5-20020a17090a9c0500b0022bb85eb35dso8524801pjp.3 for ; Mon, 23 Jan 2023 20:32:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daynix-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XKj6hB3CbJPG3MzPqJKXu/piFOPlauwQguDrOreBKaM=; b=gqIp+OUxmKBKHxW3bkBnfW4/3T8KZJ/R9sOs1ZS4fbvu2rWlZ5BkkKK2ytzoNgAfA+ Xfxnevzv7is/VIPve0tLOkhQNQfo5AHFJSQkx+1aHc6ryhOcZw69yytt2RtizaNskx0U ej18yDMTrK6SSzb81MVFDXQl437A7qA8k7y53yAuilXGMUO2gcAFcZxdrMMWTeBiMUtt GJqQ0aDZ8rL+7DXVjfEbbPKaVdMsM7mHqtYQgN4FYte9g0f6cvWkonGkZjH2oV8nw1AO yb0yd1u4iqBnsLOZTq8EPjFwR/yXvObonFkaf0JW88tCNM3Wn/SOzNf90q12ui4kPipa F1oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XKj6hB3CbJPG3MzPqJKXu/piFOPlauwQguDrOreBKaM=; b=O63tGsdXaSXKgoaLb/9a5LuZN7aQu9Mb6wd83Y1w1ZrIjHXjL1BPZpCgxWlDFnZkHk udoecrX8X/SQJ4reILyNu4URyuMyuLlPnW8YN+dZGtjcW86aDLwn0dho4GUEKpYzPkcV lbdaShFhdb3znl3YpYFImw17PmYW7MAl584JU5kgaAb7tLEVJ1RCslwAAagzZtu1JZTc 59L9S5VIdAmz+dSLGSwCtdpki+w69buMmh/b9FhFmTPYU6MYSaccAre/Fk8dkzdgPhKt 8Hr6M/QKgSCOKyg3hRwro11oAX8dDq5qNGQ27oJTsIcN8qe7BcKPoVLfWEM+fGzCPoc/ FvTQ== X-Gm-Message-State: AFqh2ko9iEUQ1QFW+2MKNGj1WNJMSYPQXYdbMqwj+Xe61pQ0JwEVxmm1 dDa3IVN2HK2/I0I0UKZ5LtBmow== X-Google-Smtp-Source: AMrXdXvc5ZF2HGPG2JXP3WsGu6U+kBUrzzdJvr4/FMYW430vZlxaAi9EXpijojKFsC04viG5n9XvXA== X-Received: by 2002:a17:902:9b8b:b0:194:812b:6737 with SMTP id y11-20020a1709029b8b00b00194812b6737mr28818991plp.23.1674534768313; Mon, 23 Jan 2023 20:32:48 -0800 (PST) Received: from alarm.flets-east.jp ([2400:4050:a840:1e00:4457:c267:5e09:481b]) by smtp.gmail.com with ESMTPSA id z5-20020a170902708500b00196030312ccsm548033plk.78.2023.01.23.20.32.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Jan 2023 20:32:48 -0800 (PST) From: Akihiko Odaki To: Cc: Jason Wang , Dmitry Fleytman , Thomas Huth , Laurent Vivier , Paolo Bonzini , qemu-devel@nongnu.org, qemu-ppc@nongnu.org, "Michael S. Tsirkin" , Yan Vugenfirer , Yuri Benditovich , Sriram Yagnaraman , Akihiko Odaki Subject: [PATCH v2 18/26] net: Check L4 header size Date: Tue, 24 Jan 2023 13:31:35 +0900 Message-Id: <20230124043143.5515-19-akihiko.odaki@daynix.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230124043143.5515-1-akihiko.odaki@daynix.com> References: <20230124043143.5515-1-akihiko.odaki@daynix.com> MIME-Version: 1.0 Received-SPF: none client-ip=2607:f8b0:4864:20::1036; envelope-from=akihiko.odaki@daynix.com; helo=mail-pj1-x1036.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org net_tx_pkt_build_vheader() inspects TCP header but had no check for the header size, resulting in an undefined behavior. Check the header size and drop the packet if the header is too small. Signed-off-by: Akihiko Odaki --- hw/net/e1000e_core.c | 19 ++++++++++++++----- hw/net/net_tx_pkt.c | 13 ++++++++++--- hw/net/net_tx_pkt.h | 3 ++- hw/net/vmxnet3.c | 14 +++++++------- 4 files changed, 33 insertions(+), 16 deletions(-) diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index d143f2ae6f..38d374fba3 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -629,23 +629,30 @@ e1000e_rss_parse_packet(E1000ECore *core, info->queue = E1000_RSS_QUEUE(&core->mac[RETA], info->hash); } -static void +static bool e1000e_setup_tx_offloads(E1000ECore *core, struct e1000e_tx *tx) { if (tx->props.tse && tx->cptse) { - net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->props.mss)) { + return false; + } + net_tx_pkt_update_ip_checksums(tx->tx_pkt); e1000x_inc_reg_if_not_full(core->mac, TSCTC); - return; + return true; } if (tx->sum_needed & E1000_TXD_POPTS_TXSM) { - net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0); + if (!net_tx_pkt_build_vheader(tx->tx_pkt, false, true, 0)) { + return false; + } } if (tx->sum_needed & E1000_TXD_POPTS_IXSM) { net_tx_pkt_update_ip_hdr_checksum(tx->tx_pkt); } + + return true; } static bool @@ -654,7 +661,9 @@ e1000e_tx_pkt_send(E1000ECore *core, struct e1000e_tx *tx, int queue_index) int target_queue = MIN(core->max_queue_num, queue_index); NetClientState *queue = qemu_get_subqueue(core->owner_nic, target_queue); - e1000e_setup_tx_offloads(core, tx); + if (!e1000e_setup_tx_offloads(core, tx)) { + return false; + } net_tx_pkt_dump(tx->tx_pkt); diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 2533ea2700..8a23899a4d 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -304,10 +304,11 @@ func_exit: return rc; } -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size) { struct tcp_hdr l4hdr; + size_t bytes_read; assert(pkt); /* csum has to be enabled if tso is. */ @@ -328,8 +329,12 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, case VIRTIO_NET_HDR_GSO_TCPV4: case VIRTIO_NET_HDR_GSO_TCPV6: - iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], pkt->payload_frags, - 0, &l4hdr, sizeof(l4hdr)); + bytes_read = iov_to_buf(&pkt->vec[NET_TX_PKT_PL_START_FRAG], + pkt->payload_frags, 0, &l4hdr, sizeof(l4hdr)); + if (bytes_read < sizeof(l4hdr)) { + return false; + } + pkt->virt_hdr.hdr_len = pkt->hdr_len + l4hdr.th_off * sizeof(uint32_t); pkt->virt_hdr.gso_size = gso_size; break; @@ -354,6 +359,8 @@ void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, break; } } + + return true; } void net_tx_pkt_setup_vlan_header_ex(struct NetTxPkt *pkt, diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h index 4ec8bbe9bd..2e38a5fa69 100644 --- a/hw/net/net_tx_pkt.h +++ b/hw/net/net_tx_pkt.h @@ -59,9 +59,10 @@ struct virtio_net_hdr *net_tx_pkt_get_vhdr(struct NetTxPkt *pkt); * @tso_enable: TSO enabled * @csum_enable: CSO enabled * @gso_size: MSS size for TSO + * @ret: operation result * */ -void net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, +bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, bool csum_enable, uint32_t gso_size); /** diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index d2ab527ef4..c63bbb59bd 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -440,19 +440,19 @@ vmxnet3_setup_tx_offloads(VMXNET3State *s) { switch (s->offload_mode) { case VMXNET3_OM_NONE: - net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, false, 0); case VMXNET3_OM_CSUM: - net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); VMW_PKPRN("L4 CSO requested\n"); - break; + return net_tx_pkt_build_vheader(s->tx_pkt, false, true, 0); case VMXNET3_OM_TSO: - net_tx_pkt_build_vheader(s->tx_pkt, true, true, - s->cso_or_gso_size); - net_tx_pkt_update_ip_checksums(s->tx_pkt); VMW_PKPRN("GSO offload requested."); + if (!net_tx_pkt_build_vheader(s->tx_pkt, true, true, + s->cso_or_gso_size)) { + return false; + } + net_tx_pkt_update_ip_checksums(s->tx_pkt); break; default: