diff options
author | Akihiko Odaki <akihiko.odaki@daynix.com> | 2023-02-23 19:20:10 +0900 |
---|---|---|
committer | Jason Wang <jasowang@redhat.com> | 2023-03-10 15:35:38 +0800 |
commit | dd32b5ea7eeea367058ec8e0f9eb41de41a8d106 (patch) | |
tree | df137bc8ef1777e1294e32456c0d37de2c98424f | |
parent | 02ef5fdc092bd495d6afd3c0212ff2e45931886d (diff) | |
download | qemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.zip qemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.tar.gz qemu-dd32b5ea7eeea367058ec8e0f9eb41de41a8d106.tar.bz2 |
hw/net/net_tx_pkt: Check the payload length
Check the payload length if checksumming to ensure the payload contains
the space for the resulting value.
This bug was found by Alexander Bulekov with the fuzzer:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc
Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
-rw-r--r-- | hw/net/net_tx_pkt.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 4a35e84..986a3ad 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, if (csum_enable) { switch (pkt->l4proto) { case IP_PROTO_TCP: + if (pkt->payload_len < sizeof(struct tcp_hdr)) { + return false; + } pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; pkt->virt_hdr.csum_start = pkt->hdr_len; pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum); break; case IP_PROTO_UDP: + if (pkt->payload_len < sizeof(struct udp_hdr)) { + return false; + } pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; pkt->virt_hdr.csum_start = pkt->hdr_len; pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum); |