We try to detect and drop too large packet (>INT_MAX) in 1592a9947036
("net: ignore packet size greater than INT_MAX") during packet
delivering. Unfortunately, this is not sufficient as we may hit
another integer overflow when trying to queue such large packet in
qemu_net_queue_append_iov():
- size of the allocation may overflow on 32bit
- packet->size is integer which may overflow even on 64bit
Fixing this by move the check to qemu_sendv_packet_async() which is
the entrance of all networking codes and reduce the limit to
NET_BUFSIZE to be more conservative.
Cc: qemu-sta...@nongnu.org
Cc: Li Qiang <liq...@163.com>
Reported-by: Li Qiang <liq...@gmail.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
---
net/net.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/net.c b/net/net.c
index 07c194a8f6..affe1877cf 100644
--- a/net/net.c
+++ b/net/net.c
@@ -712,15 +712,11 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender,
void *opaque)
{
NetClientState *nc = opaque;
- size_t size = iov_size(iov, iovcnt);
int ret;
- if (size > INT_MAX) {
- return size;
- }
if (nc->link_down) {
- return size;
+ return iov_size(iov, iovcnt);
}
if (nc->receive_disabled) {
@@ -745,10 +741,15 @@ ssize_t qemu_sendv_packet_async(NetClientState *sender,
NetPacketSent *sent_cb)
{
NetQueue *queue;
+ size_t size = iov_size(iov, iovcnt);
int ret;
+ if (size > NET_BUFSIZE) {
+ return size;
+ }
+
if (sender->link_down || !sender->peer) {
- return iov_size(iov, iovcnt);
+ return size;
}
/* Let filters handle the packet first */
--
2.17.1
