-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQEcBAABAgAGBQJhlx3cAAoJEO8Ells5jWIRS2QH/0o9xGF696ERTuxO4PtdEQRf Em9HmPSB2yMQNrPfo6/P5PTyXfrPSi9LrDjw0JR7WmAI8JbYuxUm8D9iFwCdWwHk SOKbShk+JPWD0j1C4DO40aXfelN+0yUa4bccvgr7vnt2LeZuJg7k4lG7U5GUdhHG OWxqR8wC4+obkQYuPOxocOaoYgFfgNkOayVKPZkSW3wOKwRj8w8pMT31V2xKMkPH OXeMiShbVKkcrBXZKxjQR3I0NWDJfjkYH2mcxq2uAHenzHuixd7LhbRiMtX991No ckOz1kjCBooXUBG/uXmqW5zqiRr0h7CBXVekfhX3iZPkr6oMfj6VVGZj3KwTPXQ= =m0td -----END PGP SIGNATURE----- Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging # gpg: Signature made Fri 19 Nov 2021 04:45:32 AM CET # gpg: using RSA key EF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * tag 'net-pull-request' of https://github.com/jasowang/qemu: net/colo-compare.c: Fix incorrect return when input wrong size net/colo-compare.c: Fix ACK track reverse issue net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2021-11-19 09:49:16 +01:00 · 2021-11-19 09:49:16 +01:00 · 3760a04c35
parent 44a3aa0608 0656fbc7dd
commit 3760a04c35
2 changed files with 18 additions and 3 deletions
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@ -1441,6 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
    vmxnet3_setup_rx_filtering(s);
    /* Cache fields from shared memory */
    s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
    VMW_CFPRN("MTU is %u", s->mtu);

    s->max_rx_frags =
@ -1486,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
        /* Read rings memory locations for TX queues */
        pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
        size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
+        if (size > VMXNET3_TX_RING_MAX_SIZE) {
+            size = VMXNET3_TX_RING_MAX_SIZE;
+        }

        vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
                          sizeof(struct Vmxnet3_TxDesc), false);
@ -1496,6 +1500,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
        /* TXC ring */
        pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
        size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
+        if (size > VMXNET3_TC_RING_MAX_SIZE) {
+            size = VMXNET3_TC_RING_MAX_SIZE;
+        }
        vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
                          sizeof(struct Vmxnet3_TxCompDesc), true);
        VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
@ -1537,6 +1544,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
            /* RX rings */
            pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
            size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
+            if (size > VMXNET3_RX_RING_MAX_SIZE) {
+                size = VMXNET3_RX_RING_MAX_SIZE;
+            }
            vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
                              sizeof(struct Vmxnet3_RxDesc), false);
            VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
@ -1546,6 +1556,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
        /* RXC ring */
        pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
        size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
+        if (size > VMXNET3_RC_RING_MAX_SIZE) {
+            size = VMXNET3_RC_RING_MAX_SIZE;
+        }
        vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
                          sizeof(struct Vmxnet3_RxCompDesc), true);
        VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@ -209,7 +209,8 @@ static void fill_pkt_tcp_info(void *data, uint32_t *max_ack)

    pkt->tcp_seq = ntohl(tcphd->th_seq);
    pkt->tcp_ack = ntohl(tcphd->th_ack);
-    *max_ack = *max_ack > pkt->tcp_ack ? *max_ack : pkt->tcp_ack;
+    /* Need to consider ACK will bigger than uint32_t MAX */
+    *max_ack = pkt->tcp_ack - *max_ack > 0 ? pkt->tcp_ack : *max_ack;
    pkt->header_size = pkt->transport_header - (uint8_t *)pkt->data
                       + (tcphd->th_off << 2);
    pkt->payload_size = pkt->size - pkt->header_size;
@ -413,7 +414,8 @@ static void colo_compare_tcp(CompareState *s, Connection *conn)
     * can ensure that the packet's payload is acknowledged by
     * primary and secondary.
    */
-    uint32_t min_ack = conn->pack > conn->sack ? conn->sack : conn->pack;
+    uint32_t min_ack = conn->pack - conn->sack > 0 ?
+                       conn->sack : conn->pack;

 pri:
    if (g_queue_is_empty(&conn->primary_list)) {
@ -805,7 +807,7 @@ static int compare_chr_send(CompareState *s,
    }

    if (!size) {
-        return 0;
+        return -1;
    }

    entry = g_slice_new(SendEntry);