diff options
author | Li Qiang <liqiang6-s@360.cn> | 2016-08-09 16:49:47 +0530 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2016-09-08 15:23:02 -0500 |
commit | 93060258ae748573ca7197204125a2670047896d (patch) | |
tree | bebba1a7de6652a3a35b9d69c120cb8b12ef940c | |
parent | f216833ac0fcd85f62d73387f529f141f8f4abfd (diff) | |
download | qemu-93060258ae748573ca7197204125a2670047896d.zip qemu-93060258ae748573ca7197204125a2670047896d.tar.gz qemu-93060258ae748573ca7197204125a2670047896d.tar.bz2 |
net: vmxnet: check IP header length
Vmxnet3 device emulator when parsing packet headers does not check
for IP header length. It could lead to a OOB access when reading
further packet data. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-rw-r--r-- | hw/net/vmxnet_tx_pkt.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c index f4d0f5f..5ba2f5e 100644 --- a/hw/net/vmxnet_tx_pkt.c +++ b/hw/net/vmxnet_tx_pkt.c @@ -178,6 +178,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt) } l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base); + if(l3_hdr->iov_len < sizeof(struct ip_header)) + { + l3_hdr->iov_len = 0; + return false; + } pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p; /* copy optional IPv4 header data */ |