From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 1DFCB5A031D; Thu, 27 Jun 2024 22:46:41 +0200 (CEST)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH v2 4/5] tap: Discard guest data on length descriptor mismatch
Date: Thu, 27 Jun 2024 22:46:40 +0200
Message-ID: <20240627204641.4046184-5-sbrivio@redhat.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240627204641.4046184-1-sbrivio@redhat.com>
References: <20240627204641.4046184-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: XIETJ7HUXPOTDTVC25TX3RZJU453DCGJ
X-Message-ID-Hash: XIETJ7HUXPOTDTVC25TX3RZJU453DCGJ
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Matej Hrica <mhrica@redhat.com>, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240627204641.4046184-5-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XIETJ7HUXPOTDTVC25TX3RZJU453DCGJ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

This was reported by Matej a while ago, but we forgot to fix it. Even
if the hypervisor is necessarily trusted by passt, as it can in any
case terminate the guest or disrupt guest connectivity, it's a good
idea to be robust against possible issues.

Instead of resetting the connection to the hypervisor, just discard
the data we read with a single recv(), as we had a few cases where
QEMU would get the length descriptor wrong, in the past.

While at it, change l2len in tap_handler_passt() to uint32_t, as the
length descriptor is logically unsigned and 32-bit wide.

Reported-by: Matej Hrica <mhrica@redhat.com>
Suggested-by: Matej Hrica <mhrica@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tap.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/tap.c b/tap.c
index e5c1693..d24a935 100644
--- a/tap.c
+++ b/tap.c
@@ -1021,15 +1021,18 @@ redo:
 	}
 
 	while (n > (ssize_t)sizeof(uint32_t)) {
-		ssize_t l2len = ntohl(*(uint32_t *)p);
+		uint32_t l2len = ntohl(*(uint32_t *)p);
 
 		p += sizeof(uint32_t);
 		n -= sizeof(uint32_t);
 
+		if (l2len > (ssize_t)TAP_BUF_BYTES - n)
+			return;
+
 		/* At most one packet might not fit in a single read, and this
 		 * needs to be blocking.
 		 */
-		if (l2len > n) {
+		if (l2len > (size_t)n) {
 			rem = recv(c->fd_tap, p + n, l2len - n, 0);
 
 			if (sadd_overflow(n, rem, &n))
@@ -1042,8 +1045,7 @@ redo:
 		/* Complete the partial read above before discarding a malformed
 		 * frame, otherwise the stream will be inconsistent.
 		 */
-		if (l2len < (ssize_t)sizeof(struct ethhdr) ||
-		    l2len > (ssize_t)ETH_MAX_MTU)
+		if (l2len < sizeof(struct ethhdr) || l2len > ETH_MAX_MTU)
 			goto next;
 
 		tap_add_packet(c, l2len, p);
-- 
2.43.0