qemu/include
Jason Wang 25c01bd19d net: drop too large packet early
We try to detect and drop too large packet (>INT_MAX) in 1592a99470
("net: ignore packet size greater than INT_MAX") during packet
delivering. Unfortunately, this is not sufficient as we may hit
another integer overflow when trying to queue such large packet in
qemu_net_queue_append_iov():

- size of the allocation may overflow on 32bit
- packet->size is integer which may overflow even on 64bit

Fixing this by moving the check to qemu_sendv_packet_async() which is
the entrance of all networking codes and reduce the limit to
NET_BUFSIZE to be more conservative. This works since:

- For the callers that call qemu_sendv_packet_async() directly, they
  only care about if zero is returned to determine whether to prevent
  the source from producing more packets. A callback will be triggered
  if peer can accept more then source could be enabled. This is
  usually used by high speed networking implementation like virtio-net
  or netmap.
- For the callers that call qemu_sendv_packet() that calls
  qemu_sendv_packet_async() indirectly, they often ignore the return
  value. In this case qemu will just the drop packets if peer can't
  receive.

Qemu will copy the packet if it was queued. So it was safe for both
kinds of the callers to assume the packet was sent.

Since we move the check from qemu_deliver_packet_iov() to
qemu_sendv_packet_async(), it would be safer to make
qemu_deliver_packet_iov() static to prevent any external user in the
future.

This is a revised patch of CVE-2018-17963.

Cc: qemu-stable@nongnu.org
Cc: Li Qiang <liq3ea@163.com>
Fixes: 1592a99470 ("net: ignore packet size greater than INT_MAX")
Reported-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20181204035347.6148-2-jasowang@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04 11:06:15 +00:00
..
block block: Require auto-read-only for existing fallbacks 2018-11-05 15:09:55 +01:00
chardev chardev: mark the calls that allow an implicit mux monitor 2018-10-03 14:45:05 +04:00
crypto tests: call qcrypto_init instead of gnutls_global_init 2018-07-24 17:33:39 +01:00
disas target/mips: Add disassembler support for nanoMIPS 2018-10-25 22:13:33 +02:00
exec memory: learn about non-volatile memory region 2018-11-06 21:35:05 +01:00
fpu softfloat: Don't execute divdeu without power7 2018-11-04 10:04:40 +00:00
hw ppc patch queue 2018-11-08 2018-11-08 14:42:37 +00:00
io io: return 0 for EOF in TLS session read after shutdown 2018-11-19 11:16:46 -06:00
libdecnumber
migration vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
monitor qdev-monitor: print help to stdout 2018-10-05 16:14:22 +04:00
net net: drop too large packet early 2018-12-04 11:06:15 +00:00
qapi error: Fix use of error_prepend() with &error_fatal, &error_abort 2018-10-19 14:51:34 +02:00
qemu include/qemu/thread.h: Document qemu_thread_atexit* API 2018-11-06 21:35:06 +01:00
qom cputlb: Move cpu->pending_tlb_flush to env->tlb_c.pending_flush 2018-10-31 12:16:02 +00:00
scsi pr-manager: add query-pr-managers QMP command 2018-06-28 19:05:35 +02:00
standard-headers linux-headers: update 2018-10-12 11:32:18 +02:00
sysemu block: change some function return type to bool 2018-11-05 15:09:54 +01:00
ui ui: Convert vnc_display_init(), init_keyboard_layout() to Error 2018-10-19 14:51:34 +02:00
elf.h elf: Define MIPS_ABI_FP_UNKNOWN macro 2018-10-29 15:47:32 +01:00
glib-compat.h glib: enforce the minimum required version and warn about old APIs 2018-06-29 12:22:28 +01:00
qemu-common.h qemu-common.h: update copyright date to 2018 2018-10-16 17:52:06 +02:00
qemu-io.h qemu-io: Let command functions return error code 2018-06-11 16:18:45 +02:00
trace-tcg.h