qemu/hw/net
Stefan Hajnoczi 792676c165 rtl8139: fix large_send_mss divide-by-zero
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.

Solve these issues by skipping offloading when large_send_mss=0.

This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:

  $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
  512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
  rtl8139,netdev=net0 -netdev user,id=net0 -device \
  pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
  memory-backend-ram,id=mem1,size=2M  -qtest stdio
  outl 0xcf8 0x80000814
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000037 0x1 0x04
  write 0xe00000e0 0x2 0x01
  write 0x1 0x1 0x04
  write 0x3 0x1 0x98
  write 0xa 0x1 0x8c
  write 0xb 0x1 0x02
  write 0xc 0x1 0x46
  write 0xd 0x1 0xa6
  write 0xf 0x1 0xb8
  write 0xb800a646028c000c 0x1 0x08
  write 0xb800a646028c000e 0x1 0x47
  write 0xb800a646028c0010 0x1 0x02
  write 0xb800a646028c0017 0x1 0x06
  write 0xb800a646028c0036 0x1 0x80
  write 0xe00000d9 0x1 0x40
  EOF

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2023-05-23 15:20:15 +08:00
..
can include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
fsl_etsec fsl_etsec: Use hw/net/mii.h 2023-03-10 15:35:38 +08:00
rocker rocker: Tweak stubbed out monitor commands' error messages 2023-02-23 14:10:17 +01:00
allwinner_emac.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
allwinner-sun8i-emac.c hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields 2023-05-02 15:47:41 +01:00
cadence_gem.c Drop more useless casts from void * to pointer 2022-12-14 16:19:35 +01:00
dp8393x.c dp8393x: don't force 32-bit register access 2021-07-11 22:29:54 +02:00
e1000_common.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000_regs.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000.c e1000x: Share more Rx filtering logic 2023-05-23 15:20:15 +08:00
e1000e_core.c e1000e: Notify only new interrupts 2023-05-23 15:20:15 +08:00
e1000e_core.h e1000e: Notify only new interrupts 2023-05-23 15:20:15 +08:00
e1000e.c e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000x_common.c e1000x: Take CRC into consideration for size check 2023-05-23 15:20:15 +08:00
e1000x_common.h e1000x: Share more Rx filtering logic 2023-05-23 15:20:15 +08:00
e1000x_regs.h e1000x: Rename TcpIpv6 into TcpIpv6Ex 2023-05-23 15:20:15 +08:00
eepro100.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
etraxfs_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ftgmac100.c hw/net: Fix read of uninitialized memory in ftgmac100 2023-02-07 09:02:04 +01:00
i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
i82596.h hw/net: Make NetCanReceive() return a boolean 2020-03-31 21:14:35 +08:00
igb_common.h igb: Implement Rx PTP2 timestamp 2023-05-23 15:20:15 +08:00
igb_core.c igb: Clear-on-read ICR when ICR.INTA is set 2023-05-23 15:20:15 +08:00
igb_core.h igb: implement VFRE and VFTE registers 2023-03-28 13:10:55 +08:00
igb_regs.h igb: Implement Tx timestamp 2023-05-23 15:20:15 +08:00
igb.c igb: Share common VF constants 2023-05-23 15:20:15 +08:00
igbvf.c igb: Share common VF constants 2023-05-23 15:20:15 +08:00
imx_fec.c hw/net/imx_fec: Support two Ethernet interfaces connected to single MDIO bus 2023-04-20 10:25:43 +01:00
Kconfig vmxnet3: Do not depend on PC 2023-05-23 15:20:15 +08:00
lan9118.c hw/net/lan9118: log [read|write]b when mode_16bit is enabled rather than abort 2023-02-17 13:31:33 +08:00
lance.c Drop more @errp parameters after previous commit 2020-05-15 07:08:14 +02:00
lasi_i82596.c Do not include sysemu/sysemu.h if it's not really necessary 2021-05-02 17:24:50 +02:00
mcf_fec.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
meson.build hw/net: Move xilinx_ethlite.c to the target-independent source set 2023-05-16 09:14:18 +02:00
mipsnet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
msf2-emac.c hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc() 2023-05-02 15:47:40 +01:00
mv88w8618_eth.c hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
ne2000-isa.c hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
ne2000-pci.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
ne2000.c net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
ne2000.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
net_rx_pkt.c igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_rx_pkt.h igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_tx_pkt.c igb: Implement Tx SCTP CSO 2023-05-23 15:20:15 +08:00
net_tx_pkt.h igb: Implement Tx SCTP CSO 2023-05-23 15:20:15 +08:00
npcm7xx_emc.c hw/net: npcm7xx_emc: set MAC in register space 2023-05-02 15:47:39 +01:00
opencores_eth.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pcnet-pci.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
pcnet.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
pcnet.h net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
rtl8139.c rtl8139: fix large_send_mss divide-by-zero 2023-05-23 15:20:15 +08:00
smc91c111.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_llan.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
stellaris_enet.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
sungem.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
sunhme.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
trace-events igb: Notify only new interrupts 2023-05-23 15:20:15 +08:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tulip.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
tulip.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vhost_net-stub.c virtio-net: add support for configure interrupt 2023-01-08 01:54:22 -05:00
vhost_net.c virtio-net: add support for configure interrupt 2023-01-08 01:54:22 -05:00
virtio-net.c net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-23 15:20:15 +08:00
vmware_utils.h hw/net/vmxnet3: Fix code to work on big endian hosts, too 2017-11-20 11:08:00 +08:00
vmxnet3_defs.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
vmxnet3.c vmxnet3: Reset packet state after emptying Tx queue 2023-05-23 15:20:15 +08:00
vmxnet3.h Replace config-time define HOST_WORDS_BIGENDIAN 2022-04-06 10:50:37 +02:00
vmxnet_debug.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
xen_nic.c hw/xen: Use XEN_PAGE_SIZE in PV backend drivers 2023-03-07 17:04:30 +00:00
xgmac.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
xilinx_axienet.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
xilinx_ethlite.c hw/net: Move xilinx_ethlite.c to the target-independent source set 2023-05-16 09:14:18 +02:00