mirror of https://github.com/proxmox/mirror_qemu
virtio-net: correct packet length math
We were requesting too much when checking buffer length: size already includes host header length. Further, we should not exit if we get a packet that is too long, since this might not be under control of the guest. Just drop the packet. Red Hat bz 591494 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>master
parent
a213ff63ea
commit
279a42535d
|
@ -528,17 +528,18 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
|
||||||
{
|
{
|
||||||
VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
|
VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
|
||||||
struct virtio_net_hdr_mrg_rxbuf *mhdr = NULL;
|
struct virtio_net_hdr_mrg_rxbuf *mhdr = NULL;
|
||||||
size_t hdr_len, offset, i;
|
size_t guest_hdr_len, offset, i, host_hdr_len;
|
||||||
|
|
||||||
if (!virtio_net_can_receive(&n->nic->nc))
|
if (!virtio_net_can_receive(&n->nic->nc))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* hdr_len refers to the header we supply to the guest */
|
/* hdr_len refers to the header we supply to the guest */
|
||||||
hdr_len = n->mergeable_rx_bufs ?
|
guest_hdr_len = n->mergeable_rx_bufs ?
|
||||||
sizeof(struct virtio_net_hdr_mrg_rxbuf) : sizeof(struct virtio_net_hdr);
|
sizeof(struct virtio_net_hdr_mrg_rxbuf) : sizeof(struct virtio_net_hdr);
|
||||||
|
|
||||||
|
|
||||||
if (!virtio_net_has_buffers(n, size + hdr_len))
|
host_hdr_len = n->has_vnet_hdr ? sizeof(struct virtio_net_hdr) : 0;
|
||||||
|
if (!virtio_net_has_buffers(n, size + guest_hdr_len - host_hdr_len))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!receive_filter(n, buf, size))
|
if (!receive_filter(n, buf, size))
|
||||||
|
@ -553,13 +554,14 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
|
||||||
|
|
||||||
total = 0;
|
total = 0;
|
||||||
|
|
||||||
if ((i != 0 && !n->mergeable_rx_bufs) ||
|
if (virtqueue_pop(n->rx_vq, &elem) == 0) {
|
||||||
virtqueue_pop(n->rx_vq, &elem) == 0) {
|
|
||||||
if (i == 0)
|
if (i == 0)
|
||||||
return -1;
|
return -1;
|
||||||
fprintf(stderr, "virtio-net truncating packet: "
|
fprintf(stderr, "virtio-net unexpected empty queue: "
|
||||||
"offset %zd, size %zd, hdr_len %zd\n",
|
"i %zd mergeable %d offset %zd, size %zd, "
|
||||||
offset, size, hdr_len);
|
"guest hdr len %zd, host hdr len %zd guest features 0x%x\n",
|
||||||
|
i, n->mergeable_rx_bufs, offset, size,
|
||||||
|
guest_hdr_len, host_hdr_len, n->vdev.guest_features);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -568,7 +570,7 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!n->mergeable_rx_bufs && elem.in_sg[0].iov_len != hdr_len) {
|
if (!n->mergeable_rx_bufs && elem.in_sg[0].iov_len != guest_hdr_len) {
|
||||||
fprintf(stderr, "virtio-net header not in first element\n");
|
fprintf(stderr, "virtio-net header not in first element\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
@ -580,19 +582,32 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
|
||||||
mhdr = (struct virtio_net_hdr_mrg_rxbuf *)sg[0].iov_base;
|
mhdr = (struct virtio_net_hdr_mrg_rxbuf *)sg[0].iov_base;
|
||||||
|
|
||||||
offset += receive_header(n, sg, elem.in_num,
|
offset += receive_header(n, sg, elem.in_num,
|
||||||
buf + offset, size - offset, hdr_len);
|
buf + offset, size - offset, guest_hdr_len);
|
||||||
total += hdr_len;
|
total += guest_hdr_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* copy in packet. ugh */
|
/* copy in packet. ugh */
|
||||||
len = iov_from_buf(sg, elem.in_num,
|
len = iov_from_buf(sg, elem.in_num,
|
||||||
buf + offset, size - offset);
|
buf + offset, size - offset);
|
||||||
total += len;
|
total += len;
|
||||||
|
offset += len;
|
||||||
|
/* If buffers can't be merged, at this point we
|
||||||
|
* must have consumed the complete packet.
|
||||||
|
* Otherwise, drop it. */
|
||||||
|
if (!n->mergeable_rx_bufs && offset < size) {
|
||||||
|
#if 0
|
||||||
|
fprintf(stderr, "virtio-net truncated non-mergeable packet: "
|
||||||
|
|
||||||
|
"i %zd mergeable %d offset %zd, size %zd, "
|
||||||
|
"guest hdr len %zd, host hdr len %zd\n",
|
||||||
|
i, n->mergeable_rx_bufs,
|
||||||
|
offset, size, guest_hdr_len, host_hdr_len);
|
||||||
|
#endif
|
||||||
|
return size;
|
||||||
|
}
|
||||||
|
|
||||||
/* signal other side */
|
/* signal other side */
|
||||||
virtqueue_fill(n->rx_vq, &elem, total, i++);
|
virtqueue_fill(n->rx_vq, &elem, total, i++);
|
||||||
|
|
||||||
offset += len;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mhdr)
|
if (mhdr)
|
||||||
|
|
Loading…
Reference in New Issue