qemu/hw/net
Stefan Hajnoczi e1c120a9c5 rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
Transmit offload features access Ethernet and IP headers the packet.  If
the packet is too short we must not attempt to access header fields:

  int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
  ...
  eth_payload_data = saved_buffer + ETH_HLEN;
  ...
  ip = (ip_header*)eth_payload_data;
  if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:00 +01:00
..
fsl_etsec etsec: Flush queue when rx buffer is consumed 2015-07-27 14:12:18 +01:00
rocker rocker: mark copy-to-cpu pkts as forwarding offloaded 2015-07-07 13:13:22 +01:00
allwinner_emac.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
cadence_gem.c cadence_gem: Fix Rx buffer size field mask 2015-06-03 16:03:03 +03:00
dp8393x.c net/dp8393x: do not use memory_region_init_rom_device with NULL 2015-07-28 09:30:10 +01:00
e1000_regs.h e1000: improve auto-negotiation reporting via mii-tool 2014-06-23 17:38:00 +03:00
e1000.c e1000: flush packets when link comes up 2015-07-07 13:10:26 +01:00
eepro100.c eepro100: Drop nic_can_receive 2015-07-27 14:12:18 +01:00
etraxfs_eth.c etraxfs_eth: Drop eth_can_receive 2015-07-20 17:47:24 +01:00
lan9118.c lan9118: Drop lan9118_can_receive 2015-07-20 17:47:24 +01:00
lance.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
Makefile.objs qmp/hmp: add rocker device support 2015-06-12 13:42:17 +01:00
mcf_fec.c hw/net: handle flow control in mcf_fec driver receiver 2015-07-28 11:27:53 +01:00
milkymist-minimac2.c milkymist-minimac2: Flush queued packets when link comes up 2015-07-27 14:12:18 +01:00
mipsnet.c mipsnet: Flush queued packets when receiving is enabled 2015-07-27 14:12:18 +01:00
ne2000-isa.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
ne2000.c pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
ne2000.h ne2000: pass device to ne2000_setup_io, use it as owner 2013-07-04 17:42:46 +02:00
opencores_eth.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
pcnet-pci.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
pcnet.c pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
pcnet.h pcnet: Drop pcnet_can_receive 2015-07-27 14:12:18 +01:00
rtl8139.c rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165) 2015-08-03 13:08:00 +01:00
smc91c111.c net: remove all cleanup methods from NIC NetClientInfos 2015-01-12 10:16:23 +00:00
spapr_llan.c spapr: Merge sPAPREnvironment into sPAPRMachineState 2015-07-07 17:44:50 +02:00
stellaris_enet.c stellaris_enet: Flush queued packets when read done 2015-07-27 14:12:18 +01:00
vhost_net.c Revert "vhost-user: add multi queue support" 2015-07-20 14:19:40 +03:00
virtio-net.c virtio: get_features() can fail 2015-07-27 18:11:53 +03:00
vmware_utils.h exec: Make stb_phys input an AddressSpace 2014-02-11 22:57:38 +10:00
vmxnet3.c net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets 2015-07-20 17:39:05 +01:00
vmxnet3.h vmxnet3: Eliminate __packed redefined warning 2013-09-06 17:25:55 +02:00
vmxnet_debug.h hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
vmxnet_rx_pkt.c net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_rx_pkt.h net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data' 2015-07-20 17:39:05 +01:00
vmxnet_tx_pkt.c misc: Use g_assert_not_reached for code which is expected to be unreachable 2013-07-27 11:22:54 +04:00
vmxnet_tx_pkt.h hw: move target-independent files to subdirectories 2013-04-08 18:13:12 +02:00
xen_nic.c xen: Drop net_rx_ok 2015-07-28 11:35:54 +01:00
xgmac.c xgmac: Drop packets with eth_can_rx is false. 2015-07-27 14:12:18 +01:00
xilinx_axienet.c axienet: Flush queued packets when rx is done 2015-07-27 14:12:18 +01:00
xilinx_ethlite.c xilinx_ethlite: Clean up after commit 2f991ad 2015-03-10 08:15:33 +03:00