Commit 39b8e7dc authored by Stefan Hajnoczi's avatar Stefan Hajnoczi
Browse files

rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) 



Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: default avatar朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: default avatarJason Wang <jasowang@redhat.com>
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent cb48f67a

hw/net/rtl8139.c

+22 −19
Original line number Diff line number Diff line
@@ -2160,8 +2160,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) 
            size_t   eth_payload_len  = 0;



            int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));

            if (proto == ETH_P_IP)

            if (proto != ETH_P_IP)

            {

                goto skip_offload;

            }



            DPRINTF("+++ C+ mode has IP packet\n");



            /* not aligned */
@@ -2174,13 +2177,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) 
                DPRINTF("+++ C+ mode packet has bad IP version %d "

                    "expected %d\n", IP_HEADER_VERSION(ip),

                    IP_HEADER_VERSION_4);

                    ip = NULL;

                } else {

                goto skip_offload;

            }



            hlen = IP_HEADER_LENGTH(ip);

            ip_protocol = ip->ip_p;

            ip_data_len = be16_to_cpu(ip->ip_len) - hlen;

                }

            }



            if (ip)

            {
@@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) 
            }

        }



skip_offload:

        /* update tally counter */

        ++s->tally_counters.TxOk;