qemu/hw/net
Stefan Hajnoczi 792676c165 rtl8139: fix large_send_mss divide-by-zero
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.

Solve these issues by skipping offloading when large_send_mss=0.

This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:

  $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
  512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
  rtl8139,netdev=net0 -netdev user,id=net0 -device \
  pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
  memory-backend-ram,id=mem1,size=2M  -qtest stdio
  outl 0xcf8 0x80000814
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000037 0x1 0x04
  write 0xe00000e0 0x2 0x01
  write 0x1 0x1 0x04
  write 0x3 0x1 0x98
  write 0xa 0x1 0x8c
  write 0xb 0x1 0x02
  write 0xc 0x1 0x46
  write 0xd 0x1 0xa6
  write 0xf 0x1 0xb8
  write 0xb800a646028c000c 0x1 0x08
  write 0xb800a646028c000e 0x1 0x47
  write 0xb800a646028c0010 0x1 0x02
  write 0xb800a646028c0017 0x1 0x06
  write 0xb800a646028c0036 0x1 0x80
  write 0xe00000d9 0x1 0x40
  EOF

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2023-05-23 15:20:15 +08:00
..
can include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
fsl_etsec fsl_etsec: Use hw/net/mii.h 2023-03-10 15:35:38 +08:00
rocker rocker: Tweak stubbed out monitor commands' error messages 2023-02-23 14:10:17 +01:00
allwinner_emac.c
allwinner-sun8i-emac.c hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields 2023-05-02 15:47:41 +01:00
cadence_gem.c
dp8393x.c
e1000_common.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000_regs.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000.c e1000x: Share more Rx filtering logic 2023-05-23 15:20:15 +08:00
e1000e_core.c e1000e: Notify only new interrupts 2023-05-23 15:20:15 +08:00
e1000e_core.h e1000e: Notify only new interrupts 2023-05-23 15:20:15 +08:00
e1000e.c e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000x_common.c e1000x: Take CRC into consideration for size check 2023-05-23 15:20:15 +08:00
e1000x_common.h e1000x: Share more Rx filtering logic 2023-05-23 15:20:15 +08:00
e1000x_regs.h e1000x: Rename TcpIpv6 into TcpIpv6Ex 2023-05-23 15:20:15 +08:00
eepro100.c
etraxfs_eth.c
ftgmac100.c
i82596.c
i82596.h
igb_common.h igb: Implement Rx PTP2 timestamp 2023-05-23 15:20:15 +08:00
igb_core.c igb: Clear-on-read ICR when ICR.INTA is set 2023-05-23 15:20:15 +08:00
igb_core.h igb: implement VFRE and VFTE registers 2023-03-28 13:10:55 +08:00
igb_regs.h igb: Implement Tx timestamp 2023-05-23 15:20:15 +08:00
igb.c igb: Share common VF constants 2023-05-23 15:20:15 +08:00
igbvf.c igb: Share common VF constants 2023-05-23 15:20:15 +08:00
imx_fec.c hw/net/imx_fec: Support two Ethernet interfaces connected to single MDIO bus 2023-04-20 10:25:43 +01:00
Kconfig vmxnet3: Do not depend on PC 2023-05-23 15:20:15 +08:00
lan9118.c hw/net/lan9118: log [read|write]b when mode_16bit is enabled rather than abort 2023-02-17 13:31:33 +08:00
lance.c
lasi_i82596.c
mcf_fec.c
meson.build hw/net: Move xilinx_ethlite.c to the target-independent source set 2023-05-16 09:14:18 +02:00
mipsnet.c
msf2-emac.c hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc() 2023-05-02 15:47:40 +01:00
mv88w8618_eth.c
ne2000-isa.c
ne2000-pci.c
ne2000.c
ne2000.h
net_rx_pkt.c igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_rx_pkt.h igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_tx_pkt.c igb: Implement Tx SCTP CSO 2023-05-23 15:20:15 +08:00
net_tx_pkt.h igb: Implement Tx SCTP CSO 2023-05-23 15:20:15 +08:00
npcm7xx_emc.c hw/net: npcm7xx_emc: set MAC in register space 2023-05-02 15:47:39 +01:00
opencores_eth.c
pcnet-pci.c
pcnet.c
pcnet.h
rtl8139.c rtl8139: fix large_send_mss divide-by-zero 2023-05-23 15:20:15 +08:00
smc91c111.c
spapr_llan.c
stellaris_enet.c
sungem.c
sunhme.c
trace-events igb: Notify only new interrupts 2023-05-23 15:20:15 +08:00
trace.h
tulip.c
tulip.h
vhost_net-stub.c
vhost_net.c
virtio-net.c net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() 2023-05-23 15:20:15 +08:00
vmware_utils.h
vmxnet3_defs.h
vmxnet3.c vmxnet3: Reset packet state after emptying Tx queue 2023-05-23 15:20:15 +08:00
vmxnet3.h
vmxnet_debug.h
xen_nic.c hw/xen: Use XEN_PAGE_SIZE in PV backend drivers 2023-03-07 17:04:30 +00:00
xgmac.c
xilinx_axienet.c
xilinx_ethlite.c hw/net: Move xilinx_ethlite.c to the target-independent source set 2023-05-16 09:14:18 +02:00