Jason Wang <jasow...@redhat.com> 于2018年11月29日周四 上午11:12写道:
> We try to detect and drop too large packet (>INT_MAX) in 1592a9947036
> ("net: ignore packet size greater than INT_MAX") during packet
> delivering. Unfortunately, this is not sufficient as we may hit
> another integer overflow when trying to queue such large packet in
> qemu_net_queue_append_iov():
>
> - size of the allocation may overflow on 32bit
> - packet->size is integer which may overflow even on 64bit
>
> Fixing this by move the check to qemu_sendv_packet_async() which is
> the entrance of all networking codes and reduce the limit to
> NET_BUFSIZE to be more conservative.
>
> Cc: qemu-sta...@nongnu.org
> Cc: Li Qiang <liq...@163.com>
> Reported-by: Li Qiang <liq...@gmail.com>
> Signed-off-by: Jason Wang <jasow...@redhat.com>
>
Looks ok to me.
Reviewed-by: Li Qiang <liq...@gmail.com>
> ---
> net/net.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/net/net.c b/net/net.c
> index 07c194a8f6..affe1877cf 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -712,15 +712,11 @@ ssize_t qemu_deliver_packet_iov(NetClientState
> *sender,
> void *opaque)
> {
> NetClientState *nc = opaque;
> - size_t size = iov_size(iov, iovcnt);
> int ret;
>
> - if (size > INT_MAX) {
> - return size;
> - }
>
> if (nc->link_down) {
> - return size;
> + return iov_size(iov, iovcnt);
> }
>
> if (nc->receive_disabled) {
> @@ -745,10 +741,15 @@ ssize_t qemu_sendv_packet_async(NetClientState
> *sender,
> NetPacketSent *sent_cb)
> {
> NetQueue *queue;
> + size_t size = iov_size(iov, iovcnt);
> int ret;
>
> + if (size > NET_BUFSIZE) {
> + return size;
> + }
> +
> if (sender->link_down || !sender->peer) {
> - return iov_size(iov, iovcnt);
> + return size;
> }
>
> /* Let filters handle the packet first */
> --
> 2.17.1
>
>
