You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
113 lines
3.7 KiB
113 lines
3.7 KiB
8 years ago
|
This patch fixed a problem that was introduced in commit eb700029.
|
||
|
|
||
|
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
|
||
|
this can result in pkt->ehdr_buf being overflowed, because
|
||
|
ehdr_buf is only sizeof(struct eth_header) bytes large
|
||
|
but eth_strip_vlan() can write
|
||
|
sizeof(struct eth_header) + sizeof(struct vlan_header)
|
||
|
bytes into it.
|
||
|
|
||
|
Devices affected by this problem: vmxnet3.
|
||
|
|
||
|
Reported-by: Peter Maydell <address@hidden>
|
||
|
Signed-off-by: Dmitry Fleytman <address@hidden>
|
||
|
---
|
||
|
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
|
||
|
1 file changed, 17 insertions(+), 17 deletions(-)
|
||
|
|
||
|
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
|
||
|
index 1019b50..7c0beac 100644
|
||
|
--- a/hw/net/net_rx_pkt.c
|
||
|
+++ b/hw/net/net_rx_pkt.c
|
||
|
@@ -23,13 +23,13 @@
|
||
|
|
||
|
struct NetRxPkt {
|
||
|
struct virtio_net_hdr virt_hdr;
|
||
|
- uint8_t ehdr_buf[sizeof(struct eth_header)];
|
||
|
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
|
||
|
struct iovec *vec;
|
||
|
uint16_t vec_len_total;
|
||
|
uint16_t vec_len;
|
||
|
uint32_t tot_len;
|
||
|
uint16_t tci;
|
||
|
- bool vlan_stripped;
|
||
|
+ size_t ehdr_buf_len;
|
||
|
bool has_virt_hdr;
|
||
|
eth_pkt_types_e packet_type;
|
||
|
|
||
|
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
|
||
|
const struct iovec *iov, int iovcnt,
|
||
|
size_t ploff)
|
||
|
{
|
||
|
- if (pkt->vlan_stripped) {
|
||
|
+ if (pkt->ehdr_buf_len) {
|
||
|
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
|
||
|
|
||
|
pkt->vec[0].iov_base = pkt->ehdr_buf;
|
||
|
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
|
||
|
-
|
||
|
- pkt->tot_len =
|
||
|
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
|
||
|
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
|
||
|
|
||
|
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
|
||
|
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
|
||
|
iov, iovcnt, ploff, pkt->tot_len);
|
||
|
} else {
|
||
|
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
|
||
|
uint16_t tci = 0;
|
||
|
uint16_t ploff = iovoff;
|
||
|
assert(pkt);
|
||
|
- pkt->vlan_stripped = false;
|
||
|
|
||
|
if (strip_vlan) {
|
||
|
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
|
||
|
- &ploff, &tci);
|
||
|
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
|
||
|
+ &ploff, &tci);
|
||
|
+ } else {
|
||
|
+ pkt->ehdr_buf_len = 0;
|
||
|
}
|
||
|
|
||
|
pkt->tci = tci;
|
||
|
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
|
||
|
uint16_t tci = 0;
|
||
|
uint16_t ploff = iovoff;
|
||
|
assert(pkt);
|
||
|
- pkt->vlan_stripped = false;
|
||
|
|
||
|
if (strip_vlan) {
|
||
|
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
|
||
|
- pkt->ehdr_buf,
|
||
|
- &ploff, &tci);
|
||
|
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
|
||
|
+ pkt->ehdr_buf,
|
||
|
+ &ploff, &tci);
|
||
|
+ } else {
|
||
|
+ pkt->ehdr_buf_len = 0;
|
||
|
}
|
||
|
|
||
|
pkt->tci = tci;
|
||
|
@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
|
||
|
NetRxPkt *pkt = (NetRxPkt *)pkt;
|
||
|
assert(pkt);
|
||
|
|
||
|
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
|
||
|
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
|
||
|
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
|
||
|
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
|
||
|
#endif
|
||
|
}
|
||
|
|
||
|
@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
|
||
|
{
|
||
|
assert(pkt);
|
||
|
|
||
|
- return pkt->vlan_stripped;
|
||
|
+ return pkt->ehdr_buf_len ? true : false;
|
||
|
}
|
||
|
|
||
|
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
|
||
|
--
|
||
|
2.7.4
|