• J
    net: drop too large packet early · b528bb28
    Jason Wang 提交于
    We try to detect and drop too large packet (>INT_MAX) in 1592a994
    ("net: ignore packet size greater than INT_MAX") during packet
    delivering. Unfortunately, this is not sufficient as we may hit
    another integer overflow when trying to queue such large packet in
    qemu_net_queue_append_iov():
    
    - size of the allocation may overflow on 32bit
    - packet->size is integer which may overflow even on 64bit
    
    Fixing this by moving the check to qemu_sendv_packet_async() which is
    the entrance of all networking codes and reduce the limit to
    NET_BUFSIZE to be more conservative. This works since:
    
    - For the callers that call qemu_sendv_packet_async() directly, they
      only care about if zero is returned to determine whether to prevent
      the source from producing more packets. A callback will be triggered
      if peer can accept more then source could be enabled. This is
      usually used by high speed networking implementation like virtio-net
      or netmap.
    - For the callers that call qemu_sendv_packet() that calls
      qemu_sendv_packet_async() indirectly, they often ignore the return
      value. In this case qemu will just the drop packets if peer can't
      receive.
    
    Qemu will copy the packet if it was queued. So it was safe for both
    kinds of the callers to assume the packet was sent.
    
    Since we move the check from qemu_deliver_packet_iov() to
    qemu_sendv_packet_async(), it would be safer to make
    qemu_deliver_packet_iov() static to prevent any external user in the
    future.
    
    This is a revised patch of CVE-2018-17963.
    
    Cc: qemu-stable@nongnu.org
    Cc: Li Qiang <liq3ea@163.com>
    Fixes: 1592a994 ("net: ignore packet size greater than INT_MAX")
    Reported-by: NLi Qiang <liq3ea@gmail.com>
    Reviewed-by: NLi Qiang <liq3ea@gmail.com>
    Signed-off-by: NJason Wang <jasowang@redhat.com>
    Reviewed-by: NThomas Huth <thuth@redhat.com>
    Message-id: 20181204035347.6148-2-jasowang@redhat.com
    Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
    (cherry picked from commit 25c01bd1)
    Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
    b528bb28
net.c 45.2 KB