From: Olivier Matz <olivier.m...@6wind.com>
If hdr->csum_start is larger than packet length, the len argument passed
to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.
Ignore checksum computation in this case.
CVE-2024-11614
Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path")
Signed-off-by: Maxime Gouin <maxime.go...@6wind.com>
Signed-off-by: Olivier Matz <olivier.m...@6wind.com>
Reviewed-by: Maxime Coquelin <maxime.coque...@redhat.com>
---
lib/vhost/virtio_net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index d764d4bc6a..69901ab3b5 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2823,6 +2823,9 @@ vhost_dequeue_offload(struct virtio_net *dev, struct
virtio_net_hdr *hdr,
*/
uint16_t csum = 0, off;
+ if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
+ return;
+
if (rte_raw_cksum_mbuf(m, hdr->csum_start,
rte_pktmbuf_pkt_len(m) -
hdr->csum_start, &csum) < 0)
return;
--
2.47.0
