Re: [PATCH 4/4] tap: Drop frames from guest whose length is more than remaining buffer

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: passt-dev@passt.top, Matej Hrica <mhrica@redhat.com>
Subject: Re: [PATCH 4/4] tap: Drop frames from guest whose length is more than remaining buffer
Date: Fri, 28 Jun 2024 09:56:35 +0200	[thread overview]
Message-ID: <20240628095628.412a3f15@elisabeth> (raw)
In-Reply-To: <Zn5kCSAWxJoCzyWd@zatzit>

On Fri, 28 Jun 2024 17:19:37 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Thu, Jun 27, 2024 at 10:21:04AM +0200, Stefano Brivio wrote:
> > On Thu, 27 Jun 2024 11:30:02 +1000
> > David Gibson <david@gibson.dropbear.id.au> wrote:
> >   
> > > On Thu, Jun 27, 2024 at 01:45:36AM +0200, Stefano Brivio wrote:  
> > > > This was reported by Matej a while ago, but we forgot to fix it. Even
> > > > if the hypervisor is necessarily trusted by passt, as it can in any
> > > > case terminate the guest or disrupt guest connectivity, it's a good
> > > > idea to be robust against possible issues.
> > > > 
> > > > Instead of resetting the connection to the hypervisor, just skip the
> > > > offending frame, as we had a few cases where QEMU would get the
> > > > length descriptor wrong, in the past.
> > > > 
> > > > Reported-by: Matej Hrica <mhrica@redhat.com>
> > > > Suggested-by: Matej Hrica <mhrica@redhat.com>
> > > > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > > > ---
> > > >  tap.c | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > > 
> > > > diff --git a/tap.c b/tap.c
> > > > index 7f8c26d..bb993e0 100644
> > > > --- a/tap.c
> > > > +++ b/tap.c
> > > > @@ -1026,6 +1026,9 @@ redo:    
> > > 
> > > So.. I just realised there's a different pre-existing problem here,
> > > above what's quoted in the patch we have:
> > > 
> > > 		ssize_t l2len = ntohl(*(uint32_t *)p);
> > > 
> > > On a platform where ssize_t is only 32-bits we could get a negative
> > > value here, which would be very bad.  
> > 
> > We can't, because the length is anyway limited to the maximum IPv4 path
> > MTU in any hypervisor we might be talking to.  
> 
> Only if we trust the hypervisor.  And that the user didn't
> misconfigure us to point the socket at something that's not actually a
> hypervisor.  And that it's not some future version of the hypervisor
> configured to use a different framing format.  And that our code is
> robust enough to never get out of sync on the stream.
> 
> I really think it's better to read this into a u32, and range sanity
> check it before we do anything else.

Right... see v2?

-- 
Stefano

     prev parent reply	other threads:[~2024-06-28  7:57 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-26 23:45 [PATCH 0/4] Small, assorted "hardening" fixes Stefano Brivio
2024-06-26 23:45 ` [PATCH 1/4] conf: Copy up to MAXDNSRCH - 1 bytes, not MAXDNSRCH Stefano Brivio
2024-06-27  0:45   ` David Gibson
2024-06-27  7:27     ` Stefano Brivio
2024-06-27 10:11       ` David Gibson
2024-06-26 23:45 ` [PATCH 2/4] tcp_splice: Check return value of setsockopt() for SO_RCVLOWAT Stefano Brivio
2024-06-27  0:46   ` David Gibson
2024-06-26 23:45 ` [PATCH 3/4] util, lineread, tap: Overflow checks on long signed sums and subtractions Stefano Brivio
2024-06-27  1:13   ` David Gibson
2024-06-27  7:55     ` Stefano Brivio
2024-06-27 20:46       ` Stefano Brivio
2024-06-28  7:15         ` David Gibson
2024-06-28  7:11       ` David Gibson
2024-06-28  7:55         ` Stefano Brivio
2024-06-28 18:30           ` Stefano Brivio
2024-07-08 13:01             ` Stefano Brivio
2024-06-26 23:45 ` [PATCH 4/4] tap: Drop frames from guest whose length is more than remaining buffer Stefano Brivio
2024-06-27  1:30   ` David Gibson
2024-06-27  8:21     ` Stefano Brivio
2024-06-28  7:19       ` David Gibson
2024-06-28  7:56         ` Stefano Brivio [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240628095628.412a3f15@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=mhrica@redhat.com \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).