On 03/02/2016 07:59 PM, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While computing IP checksum, 'net_checksum_calculate' reads > payload length from the packet. It could exceed the given 'data' > buffer size. Add a check to avoid it. > > Reported-by: Liu Ling <liuling...@360.cn> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > net/checksum.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > Update as per review: > -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg06121.html > > diff --git a/net/checksum.c b/net/checksum.c > index 14c0855..0942437 100644 > --- a/net/checksum.c > +++ b/net/checksum.c > @@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) > int hlen, plen, proto, csum_offset; > uint16_t csum; > > + /* Ensure data has complete L2 & L3 headers. */ > + if (length < 14 + 20) { > + return; > + } > + > if ((data[14] & 0xf0) != 0x40) > return; /* not IPv4 */ > hlen = (data[14] & 0x0f) * 4; > @@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) > return; > } > > - if (plen < csum_offset+2) > - return; > + if (plen < csum_offset + 2 || 14 + hlen + plen > length) { > + return; > + } > > data[14+hlen+csum_offset] = 0; > data[14+hlen+csum_offset+1] = 0;
Applied to -net. Thanks
