From: Akihiko Odaki <akihiko.od...@daynix.com> Check the payload length if checksumming to ensure the payload contains the space for the resulting value.
This bug was found by Alexander Bulekov with the fuzzer: https://patchew.org/QEMU/20230129053316.1071513-1-alx...@bu.edu/ The fixed test case is: fuzz/crash_6aeaa33e7211ecd603726c53e834df4c6d1e08bc Fixes: e263cd49c7 ("Packet abstraction for VMWARE network devices") Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com> Signed-off-by: Jason Wang <jasow...@redhat.com> --- hw/net/net_tx_pkt.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 4a35e84..986a3ad 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -342,11 +342,17 @@ bool net_tx_pkt_build_vheader(struct NetTxPkt *pkt, bool tso_enable, if (csum_enable) { switch (pkt->l4proto) { case IP_PROTO_TCP: + if (pkt->payload_len < sizeof(struct tcp_hdr)) { + return false; + } pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; pkt->virt_hdr.csum_start = pkt->hdr_len; pkt->virt_hdr.csum_offset = offsetof(struct tcp_hdr, th_sum); break; case IP_PROTO_UDP: + if (pkt->payload_len < sizeof(struct udp_hdr)) { + return false; + } pkt->virt_hdr.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM; pkt->virt_hdr.csum_start = pkt->hdr_len; pkt->virt_hdr.csum_offset = offsetof(struct udp_hdr, uh_sum); -- 2.7.4
