From 167fef382ab908d58ae9f1d618194ca8ff6aaf1c Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Mon, 28 Nov 2022 08:15:38 -0800
Subject: [PATCH] net_util: queue_pair: Avoid integer overflow

This integer overflow was triggered with fuzzing on the virtio-net
device. The integer overflow is from the wrong assumption that the
packets read from or written to the tap device is always larger than the
size of a virtio-net header.

Signed-off-by: Bo Chen <chen.bo@intel.com>
(cherry picked from commit 559faa272a6db63958a861fa8c333cca7b911163)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
---
 net_util/src/queue_pair.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net_util/src/queue_pair.rs b/net_util/src/queue_pair.rs
index 1dbf58b26..d9bd19db3 100644
--- a/net_util/src/queue_pair.rs
+++ b/net_util/src/queue_pair.rs
@@ -104,6 +104,10 @@ impl TxVirtio {
                     return Err(NetQueuePairError::WriteTap(e));
                 }
 
+                if (result as usize) < vnet_hdr_len() {
+                    return Err(NetQueuePairError::InvalidVirtioNetHeader);
+                }
+
                 self.counter_bytes += Wrapping(result as u64 - vnet_hdr_len() as u64);
                 self.counter_frames += Wrapping(1);
 
@@ -238,6 +242,10 @@ impl RxVirtio {
                     return Err(NetQueuePairError::ReadTap(e));
                 }
 
+                if (result as usize) < vnet_hdr_len() {
+                    return Err(NetQueuePairError::InvalidVirtioNetHeader);
+                }
+
                 // Write num_buffers to guest memory. We simply write 1 as we
                 // never spread the frame over more than one descriptor chain.
                 desc_chain
@@ -314,6 +322,8 @@ pub enum NetQueuePairError {
     QueueAddUsed(virtio_queue::Error),
     #[error("Descriptor with invalid virtio-net header")]
     DescriptorInvalidHeader,
+    #[error("Invalid virtio-net header")]
+    InvalidVirtioNetHeader,
 }
 
 pub struct NetQueuePair {