aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAkihiko Odaki <akihiko.odaki@daynix.com>2023-02-23 19:20:10 +0900
committerJason Wang <jasowang@redhat.com>2023-03-10 15:35:38 +0800
commitdd32b5ea7eeea367058ec8e0f9eb41de41a8d106 (patch)
treedf137bc8ef1777e1294e32456c0d37de2c98424f
parent02ef5fdc092bd495d6afd3c0212ff2e45931886d (diff)
downloadqemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.zip
qemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.tar.gz
qemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.tar.bz2
hw/net/net_tx_pkt: Check the payload length
Check the payload length if checksumming to ensure the payload contains the space for the resulting value. This bug was found by Alexander Bulekov with the fuzzer: https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/ The fixed test case is: fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
-rw-r--r--hw/net/net_tx_pkt.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 4a35e84..986a3ad 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable,
if (csum_enable) {
switch (pkt->l4proto) {
case IP_PROTO_TCP:
+ if (pkt->payload_len < sizeof(struct tcp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum);
break;
case IP_PROTO_UDP:
+ if (pkt->payload_len < sizeof(struct udp_hdr)) {
+ return false;
+ }
pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
pkt->virt_hdr.csum_start = pkt->hdr_len;
pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum);