net_util: queue_pair: Avoid integer overflow

This integer overflow was triggered with fuzzing on the virtio-net device. The integer overflow is from the wrong assumption that the packets read from or written to the tap device is always larger than the size of a virtio-net header. Signed-off-by: Bo Chen <chen.bo@intel.com> (cherry picked from commit 559faa272a6db63958a861fa8c333cca7b911163) Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2025-01-11 23:27:40 +00:00 · 2022-11-28 08:15:38 -08:00 · 2022-11-28 08:15:38 -08:00 · 167fef382a
commit 167fef382a
parent 5126e9b26e
1 changed files with 10 additions and 0 deletions
--- a/net_util/src/queue_pair.rs
+++ b/net_util/src/queue_pair.rs
@ -104,6 +104,10 @@ impl TxVirtio {
                    return Err(NetQueuePairError::WriteTap(e));
                }

+                if (result as usize) < vnet_hdr_len() {
+                    return Err(NetQueuePairError::InvalidVirtioNetHeader);
+                }
+
                self.counter_bytes += Wrapping(result as u64 - vnet_hdr_len() as u64);
                self.counter_frames += Wrapping(1);

@ -238,6 +242,10 @@ impl RxVirtio {
                    return Err(NetQueuePairError::ReadTap(e));
                }

+                if (result as usize) < vnet_hdr_len() {
+                    return Err(NetQueuePairError::InvalidVirtioNetHeader);
+                }
+
                // Write num_buffers to guest memory. We simply write 1 as we
                // never spread the frame over more than one descriptor chain.
                desc_chain
@ -314,6 +322,8 @@ pub enum NetQueuePairError {
    QueueAddUsed(virtio_queue::Error),
    #[error("Descriptor with invalid virtio-net header")]
    DescriptorInvalidHeader,
+    #[error("Invalid virtio-net header")]
+    InvalidVirtioNetHeader,
 }

 pub struct NetQueuePair {