diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2015-07-15 17:34:40 +0100 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2015-08-04 12:33:48 -0500 |
| commit | b7a197c39e4b2099f25d2137e8d73c53c37b92c6 (patch) | |
| tree | 5bdba0a81b3e95fe5bf2ce478b2f0fcdc66da151 | |
| parent | 85611098ff39ffaa8d78c02bb16eb2c5355d9899 (diff) | |
| download | qemu-b7a197c39e4b2099f25d2137e8d73c53c37b92c6.tar.gz | |
rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| -rw-r--r-- | hw/net/rtl8139.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index 2d978660be..c88bf9b311 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -2191,7 +2191,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) } ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; + + ip_data_len = be16_to_cpu(ip->ip_len); + if (ip_data_len < hlen || ip_data_len > eth_payload_len) { + goto skip_offload; + } + ip_data_len -= hlen; if (txdw0 & CP_TX_IPCS) { |