mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-03 03:15:20 +00:00
net_util: queue_pair: Avoid integer overflow
This integer overflow was triggered with fuzzing on the virtio-net device. The integer overflow is from the wrong assumption that the packets read from or written to the tap device is always larger than the size of a virtio-net header. Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
6f8bd27cf7
commit
559faa272a
@ -105,6 +105,10 @@ impl TxVirtio {
|
|||||||
return Err(NetQueuePairError::WriteTap(e));
|
return Err(NetQueuePairError::WriteTap(e));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (result as usize) < vnet_hdr_len() {
|
||||||
|
return Err(NetQueuePairError::InvalidVirtioNetHeader);
|
||||||
|
}
|
||||||
|
|
||||||
self.counter_bytes += Wrapping(result as u64 - vnet_hdr_len() as u64);
|
self.counter_bytes += Wrapping(result as u64 - vnet_hdr_len() as u64);
|
||||||
self.counter_frames += Wrapping(1);
|
self.counter_frames += Wrapping(1);
|
||||||
|
|
||||||
@ -240,6 +244,10 @@ impl RxVirtio {
|
|||||||
return Err(NetQueuePairError::ReadTap(e));
|
return Err(NetQueuePairError::ReadTap(e));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (result as usize) < vnet_hdr_len() {
|
||||||
|
return Err(NetQueuePairError::InvalidVirtioNetHeader);
|
||||||
|
}
|
||||||
|
|
||||||
// Write num_buffers to guest memory. We simply write 1 as we
|
// Write num_buffers to guest memory. We simply write 1 as we
|
||||||
// never spread the frame over more than one descriptor chain.
|
// never spread the frame over more than one descriptor chain.
|
||||||
desc_chain
|
desc_chain
|
||||||
@ -316,6 +324,8 @@ pub enum NetQueuePairError {
|
|||||||
QueueAddUsed(virtio_queue::Error),
|
QueueAddUsed(virtio_queue::Error),
|
||||||
#[error("Descriptor with invalid virtio-net header")]
|
#[error("Descriptor with invalid virtio-net header")]
|
||||||
DescriptorInvalidHeader,
|
DescriptorInvalidHeader,
|
||||||
|
#[error("Invalid virtio-net header")]
|
||||||
|
InvalidVirtioNetHeader,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct NetQueuePair {
|
pub struct NetQueuePair {
|
||||||
|
Loading…
Reference in New Issue
Block a user