[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL for-2.4 1/7] rtl8139: avoid nested ifs in IP header p
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PULL for-2.4 1/7] rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) |
Date: |
Mon, 3 Aug 2015 13:08:35 +0100 |
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
hw/net/rtl8139.c | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index e0db472..8731a30 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
size_t eth_payload_len = 0;
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
- if (proto == ETH_P_IP)
+ if (proto != ETH_P_IP)
{
- DPRINTF("+++ C+ mode has IP packet\n");
+ goto skip_offload;
+ }
+
+ DPRINTF("+++ C+ mode has IP packet\n");
- /* not aligned */
- eth_payload_data = saved_buffer + ETH_HLEN;
- eth_payload_len = saved_size - ETH_HLEN;
+ /* not aligned */
+ eth_payload_data = saved_buffer + ETH_HLEN;
+ eth_payload_len = saved_size - ETH_HLEN;
- ip = (ip_header*)eth_payload_data;
+ ip = (ip_header*)eth_payload_data;
- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
- DPRINTF("+++ C+ mode packet has bad IP version %d "
- "expected %d\n", IP_HEADER_VERSION(ip),
- IP_HEADER_VERSION_4);
- ip = NULL;
- } else {
- hlen = IP_HEADER_LENGTH(ip);
- ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- }
+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+ DPRINTF("+++ C+ mode packet has bad IP version %d "
+ "expected %d\n", IP_HEADER_VERSION(ip),
+ IP_HEADER_VERSION_4);
+ goto skip_offload;
}
+ hlen = IP_HEADER_LENGTH(ip);
+ ip_protocol = ip->ip_p;
+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
if (ip)
{
if (txdw0 & CP_TX_IPCS)
@@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
}
}
+skip_offload:
/* update tally counter */
++s->tally_counters.TxOk;
--
2.4.3
- [Qemu-devel] [PULL for-2.4 0/7] Rtl8139 cplus tx input validation patches, Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 2/7] rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 1/7] rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165),
Stefan Hajnoczi <=
- [Qemu-devel] [PULL for-2.4 4/7] rtl8139: check IP Header Length field (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 3/7] rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 5/7] rtl8139: check IP Total Length field (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 7/7] rtl8139: check TCP Data Offset field (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- [Qemu-devel] [PULL for-2.4 6/7] rtl8139: skip offload on short TCP header (CVE-2015-5165), Stefan Hajnoczi, 2015/08/03
- Re: [Qemu-devel] [PULL for-2.4 0/7] Rtl8139 cplus tx input validation patches, Peter Maydell, 2015/08/03