net: vmxnet: check IP header length

Vmxnet3 device emulator when parsing packet headers does not check for IP header length. It could lead to a OOB access when reading further packet data. Add check to avoid it. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Li Qiang <liqiang6-s@360.cn> 2016-08-09 16:49:47 +0530
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2016-09-08 15:23:02 -0500
commit: 93060258ae748573ca7197204125a2670047896d (patch)
tree: bebba1a7de6652a3a35b9d69c120cb8b12ef940c
parent: f216833ac0fcd85f62d73387f529f141f8f4abfd (diff)
download: qemu-93060258ae748573ca7197204125a2670047896d.zip
qemu-93060258ae748573ca7197204125a2670047896d.tar.gz
qemu-93060258ae748573ca7197204125a2670047896d.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index f4d0f5f..5ba2f5e 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -178,6 +178,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
         }
 
         l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
+        if(l3_hdr->iov_len < sizeof(struct ip_header))
+        {
+            l3_hdr->iov_len = 0;
+            return false;
+        }
         pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
 
         /* copy optional IPv4 header data */
author	Li Qiang <liqiang6-s@360.cn>	2016-08-09 16:49:47 +0530
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2016-09-08 15:23:02 -0500
commit	93060258ae748573ca7197204125a2670047896d (patch)
tree	bebba1a7de6652a3a35b9d69c120cb8b12ef940c
parent	f216833ac0fcd85f62d73387f529f141f8f4abfd (diff)
download	qemu-93060258ae748573ca7197204125a2670047896d.zip qemu-93060258ae748573ca7197204125a2670047896d.tar.gz qemu-93060258ae748573ca7197204125a2670047896d.tar.bz2