On 05/07/2021 10.40, Philippe Mathieu-Daudé wrote:
Our infrastructure can handle fragmented packets up to
NET_MAX_FRAG_SG_LIST (64) pieces. This hard limit has
been proven enough in production for years. If it is
reached, it is likely an evil crafted packet. Discard it.
Include the qtest reproducer provided by Alexander Bulekov:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-vmxnet3-test
qemu-system-i386: net/eth.c:334: void eth_setup_ip4_fragmentation(const void
*, size_t, void *, size_t, size_t, size_t, _Bool):
Assertion `frag_offset % IP_FRAG_UNIT_SIZE == 0' failed.
Cc: [email protected]
Reported-by: OSS-Fuzz (Issue 35799)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/460
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
---
hw/net/net_tx_pkt.c | 8 ++
tests/qtest/fuzz-vmxnet3-test.c | 195 ++++++++++++++++++++++++++++++++
MAINTAINERS | 1 +
tests/qtest/meson.build | 1 +
4 files changed, 205 insertions(+)
create mode 100644 tests/qtest/fuzz-vmxnet3-test.c
Reviewed-by: Thomas Huth <[email protected]>
Jason, I think this would even still qualify for QEMU v6.1 ?
