From 290e6e113b65ae86cfa37f2ff5ca5eb57dbf824c Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Wed, 15 Feb 2017 16:31:43 +0800 Subject: net: Remove useless local var pkt This has been pointless since commit 605d52e62, which was a search-and-replace, overlooked the redundancy. Signed-off-by: Fam Zheng Reviewed-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/net_rx_pkt.c | 1 - 1 file changed, 1 deletion(-) (limited to 'hw/net/net_rx_pkt.c') diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 1019b50c18..7f928d7339 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -159,7 +159,6 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, void net_rx_pkt_dump(struct NetRxPkt *pkt) { #ifdef NET_RX_PKT_DEBUG - NetRxPkt *pkt = (NetRxPkt *)pkt; assert(pkt); printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", -- cgit 1.4.1 From df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6 Mon Sep 17 00:00:00 2001 From: Dmitry Fleytman Date: Thu, 16 Feb 2017 14:29:33 +0200 Subject: NetRxPkt: Fix memory corruption on VLAN header stripping This patch fixed a problem that was introduced in commit eb700029. When net_rx_pkt_attach_iovec() calls eth_strip_vlan() this can result in pkt->ehdr_buf being overflowed, because ehdr_buf is only sizeof(struct eth_header) bytes large but eth_strip_vlan() can write sizeof(struct eth_header) + sizeof(struct vlan_header) bytes into it. Devices affected by this problem: vmxnet3. Cc: qemu-stable@nongnu.org Reported-by: Peter Maydell Signed-off-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'hw/net/net_rx_pkt.c') diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 7f928d7339..3361d7ebe0 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -23,13 +23,13 @@ struct NetRxPkt { struct virtio_net_hdr virt_hdr; - uint8_t ehdr_buf[sizeof(struct eth_header)]; + uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; struct iovec *vec; uint16_t vec_len_total; uint16_t vec_len; uint32_t tot_len; uint16_t tci; - bool vlan_stripped; + size_t ehdr_buf_len; bool has_virt_hdr; eth_pkt_types_e packet_type; @@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, const struct iovec *iov, int iovcnt, size_t ploff) { - if (pkt->vlan_stripped) { + if (pkt->ehdr_buf_len) { net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); pkt->vec[0].iov_base = pkt->ehdr_buf; - pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); - - pkt->tot_len = - iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); + pkt->vec[0].iov_len = pkt->ehdr_buf_len; + pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, iov, iovcnt, ploff, pkt->tot_len); } else { @@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, - pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, + pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -161,8 +161,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) #ifdef NET_RX_PKT_DEBUG assert(pkt); - printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", - pkt->tot_len, pkt->vlan_stripped, pkt->tci); + printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", + pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); #endif } @@ -425,7 +425,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) { assert(pkt); - return pkt->vlan_stripped; + return pkt->ehdr_buf_len ? true : false; } bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) -- cgit 1.4.1 From d5e772146d2bbc92e5126c145eddef3b2843d026 Mon Sep 17 00:00:00 2001 From: Dmitry Fleytman Date: Thu, 16 Feb 2017 14:29:34 +0200 Subject: NetRxPkt: Do not try to pull more data than present In case of VLAN stripping, ETH header put into a separate buffer, therefore amont of data copied from original IOV should be smaller. Cc: qemu-stable@nongnu.org Signed-off-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/net_rx_pkt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'hw/net/net_rx_pkt.c') diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 3361d7ebe0..0003a0e88b 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -96,7 +96,8 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, - iov, iovcnt, ploff, pkt->tot_len); + iov, iovcnt, ploff, + pkt->tot_len - pkt->ehdr_buf_len); } else { net_rx_pkt_iovec_realloc(pkt, iovcnt); -- cgit 1.4.1 From c5d083c561a4f5297cc2e44a2f3cef3324d77a88 Mon Sep 17 00:00:00 2001 From: Dmitry Fleytman Date: Thu, 16 Feb 2017 14:29:35 +0200 Subject: NetRxPkt: Account buffer with ETH header in IOV length In case of VLAN stripping ETH header is stored in a separate chunk and length of IOV should take this into account. This patch fixes checksum validation for RX packets with VLAN header. Devices affected by this problem: e1000e and vmxnet3. Cc: qemu-stable@nongnu.org Signed-off-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/net_rx_pkt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw/net/net_rx_pkt.c') diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 0003a0e88b..2649d40b5c 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -97,7 +97,7 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, iov, iovcnt, ploff, - pkt->tot_len - pkt->ehdr_buf_len); + pkt->tot_len - pkt->ehdr_buf_len) + 1; } else { net_rx_pkt_iovec_realloc(pkt, iovcnt); -- cgit 1.4.1 From 002d394fd492f837083058832edd7ee97a8c3280 Mon Sep 17 00:00:00 2001 From: Dmitry Fleytman Date: Thu, 16 Feb 2017 14:29:36 +0200 Subject: NetRxPkt: Remove code duplication in net_rx_pkt_pull_data() This is a refactoring commit that does not change behavior. Signed-off-by: Dmitry Fleytman Signed-off-by: Jason Wang --- hw/net/net_rx_pkt.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'hw/net/net_rx_pkt.c') diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 2649d40b5c..cef1c2e0d1 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -88,20 +88,21 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, const struct iovec *iov, int iovcnt, size_t ploff) { + uint32_t pllen = iov_size(iov, iovcnt) - ploff; + if (pkt->ehdr_buf_len) { net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); pkt->vec[0].iov_base = pkt->ehdr_buf; pkt->vec[0].iov_len = pkt->ehdr_buf_len; - pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; + pkt->tot_len = pllen + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, - iov, iovcnt, ploff, - pkt->tot_len - pkt->ehdr_buf_len) + 1; + iov, iovcnt, ploff, pllen) + 1; } else { net_rx_pkt_iovec_realloc(pkt, iovcnt); - pkt->tot_len = iov_size(iov, iovcnt) - ploff; + pkt->tot_len = pllen; pkt->vec_len = iov_copy(pkt->vec, pkt->vec_len_total, iov, iovcnt, ploff, pkt->tot_len); } -- cgit 1.4.1