[RFC,08/10] Sanity check & More bypass cases check.

Message ID	1453760690-21221-9-git-send-email-wexu@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> From: wexu@redhat.com To: qemu-devel@nongnu.org Date: Tue, 26 Jan 2016 06:24:48 +0800 Message-Id: <1453760690-21221-9-git-send-email-wexu@redhat.com> In-Reply-To: <1453760690-21221-1-git-send-email-wexu@redhat.com> References: <1453760690-21221-1-git-send-email-wexu@redhat.com> Cc: victork@redhat.com, mst@redhat.com, jasowang@redhat.com, yvugenfi@redhat.com, Wei Xu <wexu@redhat.com>, marcel@redhat.com, dfleytma@redhat.com Subject: [Qemu-devel] [RFC Patch 08/10] Sanity check & More bypass cases check. Precedence: list Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org

Message ID

1453760690-21221-9-git-send-email-wexu@redhat.com (mailing list archive)

State

New, archived

Headers

From: wexu@redhat.com
To: qemu-devel@nongnu.org
Date: Tue, 26 Jan 2016 06:24:48 +0800
Message-Id: <1453760690-21221-9-git-send-email-wexu@redhat.com>
In-Reply-To: <1453760690-21221-1-git-send-email-wexu@redhat.com>
References: <1453760690-21221-1-git-send-email-wexu@redhat.com>
Cc: victork@redhat.com, mst@redhat.com, jasowang@redhat.com,
	yvugenfi@redhat.com, Wei Xu <wexu@redhat.com>, marcel@redhat.com,
	dfleytma@redhat.com
Subject: [Qemu-devel] [RFC Patch 08/10] Sanity check & More bypass cases
	check.
Precedence: list
Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org

Commit Message

Wei Xu Jan. 25, 2016, 10:24 p.m. UTC

1. IP options & IP fragment should be bypassed.
2. Sanity size check to prevent buffer overflow attack.

Signed-off-by: Wei Xu <wexu@redhat.com>
---
 hw/net/virtio-net.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 042b538..55e8e99 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1948,6 +1948,46 @@  static size_t virtio_net_rsc_drain_one(NetRscChain *chain, NetClientState *nc,
 
     return virtio_net_do_receive(nc, buf, size);
 }
+
+static int32_t virtio_net_rsc_filter4(NetRscChain *chain, struct ip_header *ip,
+                                      const uint8_t *buf, size_t size)
+{
+    uint16_t ip_len;
+
+    if (size < (TCP4_OFFSET + sizeof(tcp_header))) {
+        return RSC_BYPASS;
+    }
+
+    /* Not an ipv4 one */
+    if (0x4 != ((0xF0 & ip->ip_ver_len) >> 4)) {
+        return RSC_BYPASS;
+    }
+
+    /* Don't handle packets with ip option */
+    if (5 != (0xF & ip->ip_ver_len)) {
+        return RSC_BYPASS;
+    }
+
+    /* Don't handle packets with ip fragment */
+    if (!(htons(ip->ip_off) & IP_DF)) {
+        return RSC_BYPASS;
+    }
+
+    if (ip->ip_p != IPPROTO_TCP) {
+        return RSC_BYPASS;
+    }
+
+    /* Sanity check */
+    ip_len = htons(ip->ip_len);
+    if (ip_len < (sizeof(struct ip_header) + sizeof(struct tcp_header))
+        || ip_len > (size - IP_OFFSET)) {
+        return RSC_BYPASS;
+    }
+
+    return RSC_WANT;
+}
+
+
 static size_t virtio_net_rsc_receive4(void *opq, NetClientState* nc,
                                       const uint8_t *buf, size_t size)
 {
@@ -1958,6 +1998,10 @@  static size_t virtio_net_rsc_receive4(void *opq, NetClientState* nc,
     chain = (NetRscChain *)opq;
     ip = (struct ip_header *)(buf + IP_OFFSET);
 
+    if (RSC_WANT != virtio_net_rsc_filter4(chain, ip, buf, size)) {
+        return virtio_net_do_receive(nc, buf, size);
+    }
+
     ret = virtio_net_rsc_parse_tcp_ctrl((uint8_t *)ip,
                                         (0xF & ip->ip_ver_len) << 2);
     if (RSC_BYPASS == ret) {