NetRxPkt: Fix memory corruption on VLAN header stripping

This patch fixed a problem that was introduced in commit eb700029.

When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.

Devices affected by this problem: vmxnet3.

Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
This commit is contained in:
Dmitry Fleytman 2017-02-16 14:29:33 +02:00 committed by Jason Wang
parent 566342c312
commit df8bf7a7fe

View File

@ -23,13 +23,13 @@
struct NetRxPkt { struct NetRxPkt {
struct virtio_net_hdr virt_hdr; struct virtio_net_hdr virt_hdr;
uint8_t ehdr_buf[sizeof(struct eth_header)]; uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec; struct iovec *vec;
uint16_t vec_len_total; uint16_t vec_len_total;
uint16_t vec_len; uint16_t vec_len;
uint32_t tot_len; uint32_t tot_len;
uint16_t tci; uint16_t tci;
bool vlan_stripped; size_t ehdr_buf_len;
bool has_virt_hdr; bool has_virt_hdr;
eth_pkt_types_e packet_type; eth_pkt_types_e packet_type;
@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt, const struct iovec *iov, int iovcnt,
size_t ploff) size_t ploff)
{ {
if (pkt->vlan_stripped) { if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf; pkt->vec[0].iov_base = pkt->ehdr_buf;
pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); pkt->vec[0].iov_len = pkt->ehdr_buf_len;
pkt->tot_len =
iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len); iov, iovcnt, ploff, pkt->tot_len);
} else { } else {
@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0; uint16_t tci = 0;
uint16_t ploff = iovoff; uint16_t ploff = iovoff;
assert(pkt); assert(pkt);
pkt->vlan_stripped = false;
if (strip_vlan) { if (strip_vlan) {
pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
&ploff, &tci); &ploff, &tci);
} else {
pkt->ehdr_buf_len = 0;
} }
pkt->tci = tci; pkt->tci = tci;
@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0; uint16_t tci = 0;
uint16_t ploff = iovoff; uint16_t ploff = iovoff;
assert(pkt); assert(pkt);
pkt->vlan_stripped = false;
if (strip_vlan) { if (strip_vlan) {
pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
pkt->ehdr_buf, pkt->ehdr_buf,
&ploff, &tci); &ploff, &tci);
} else {
pkt->ehdr_buf_len = 0;
} }
pkt->tci = tci; pkt->tci = tci;
@ -161,8 +161,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
#ifdef NET_RX_PKT_DEBUG #ifdef NET_RX_PKT_DEBUG
assert(pkt); assert(pkt);
printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
pkt->tot_len, pkt->vlan_stripped, pkt->tci); pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif #endif
} }
@ -425,7 +425,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{ {
assert(pkt); assert(pkt);
return pkt->vlan_stripped; return pkt->ehdr_buf_len ? true : false;
} }
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)