+-- On Wed, 24 Feb 2016, Jason Wang wrote --+
| > - hw/net/virtio-net.c
| > if (size > 27 && size < 1500) &&
| > (buf[34] == 0 && buf[35] == 67)) {
|
| Are we sure size of buf is >= 35 here?
No; I'm yet to see why it checks for > 27. If (27 < size < 34) then we have
anot
On 02/23/2016 07:11 PM, P J P wrote:
> Hello Jason,
>
> +-- On Tue, 23 Feb 2016, Jason Wang wrote --+
> | Let's avoid adding assert() here since it could be triggered by guest.
>
> Okay.
>
> | I think you need audit all the callers to see if the issue mentioned by
> | Markus existed first.
>
Hello Jason,
+-- On Tue, 23 Feb 2016, Jason Wang wrote --+
| Let's avoid adding assert() here since it could be triggered by guest.
Okay.
| I think you need audit all the callers to see if the issue mentioned by
| Markus existed first.
Yes, I did. As mentioned earlier, some have check for
On 02/18/2016 06:33 PM, P J P wrote:
> Hello Markus,
>
> +-- On Thu, 18 Feb 2016, Markus Armbruster wrote --+
> |
> | if ((data[14] & 0xf0) != 0x40)
> | Buffer overrun when length <= 14.
> |
> | proto = data[23];
> | Buffer overrun when length <= 23.
> |
> | I think we sh
Hello Markus,
+-- On Thu, 18 Feb 2016, Markus Armbruster wrote --+
|
| if ((data[14] & 0xf0) != 0x40)
| Buffer overrun when length <= 14.
|
| proto = data[23];
| Buffer overrun when length <= 23.
|
| I think we should check that we got at least an IPv4 header without
| opt
P J P writes:
> +-- On Wed, 17 Feb 2016, Markus Armbruster wrote --+
> |> From: Prasad J Pandit
> |>
> |> While computing IP checksum, 'net_checksum_calculate' reads
> |> payload length from the packet. It could exceed the given 'data'
> |> buffer size. Add a check to avoid it.
> |>
> |> Reporte
+-- On Thu, 18 Feb 2016, P J P wrote --+
| +-- On Wed, 17 Feb 2016, Markus Armbruster wrote --+
| | Is calling this function with a partial IPv4 TCP/UDP packet legitimate?
| | If partial packet is okay, what about a partial header?
|
| Partial? That shouldn't harm I guess.
For partial TCP/UD
+-- On Wed, 17 Feb 2016, Markus Armbruster wrote --+
| Is calling this function with a partial IPv4 TCP/UDP packet legitimate?
| If partial packet is okay, what about a partial header?
Partial? That shouldn't harm I guess.
| If not, should we assert plen + hlen <= length? Or == length, even?
P J P writes:
> From: Prasad J Pandit
>
> While computing IP checksum, 'net_checksum_calculate' reads
> payload length from the packet. It could exceed the given 'data'
> buffer size. Add a check to avoid it.
>
> Reported-by: Liu Ling
> Signed-off-by: Prasad J Pandit
> ---
> net/checksum.c |
From: Prasad J Pandit
While computing IP checksum, 'net_checksum_calculate' reads
payload length from the packet. It could exceed the given 'data'
buffer size. Add a check to avoid it.
Reported-by: Liu Ling
Signed-off-by: Prasad J Pandit
---
net/checksum.c | 5 +++--
1 file changed, 3 inserti
10 matches
Mail list logo
