This was reported by Matej a while ago, but we forgot to fix it. Even
if the hypervisor is necessarily trusted by passt, as it can in any
case terminate the guest or disrupt guest connectivity, it's a good
idea to be robust against possible issues.
Instead of resetting the connection to the hypervisor, just discard
the data we read with a single recv(), as we had a few cases where
QEMU would get the length descriptor wrong, in the past.
While at it, change l2len in tap_handler_passt() to uint32_t, as the
length descriptor is logically unsigned and 32-bit wide.
Reported-by: Matej Hrica
Suggested-by: Matej Hrica
Signed-off-by: Stefano Brivio
---
tap.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/tap.c b/tap.c
index e5c1693..d24a935 100644
--- a/tap.c
+++ b/tap.c
@@ -1021,15 +1021,18 @@ redo:
}
while (n > (ssize_t)sizeof(uint32_t)) {
- ssize_t l2len = ntohl(*(uint32_t *)p);
+ uint32_t l2len = ntohl(*(uint32_t *)p);
p += sizeof(uint32_t);
n -= sizeof(uint32_t);
+ if (l2len > (ssize_t)TAP_BUF_BYTES - n)
+ return;
+
/* At most one packet might not fit in a single read, and this
* needs to be blocking.
*/
- if (l2len > n) {
+ if (l2len > (size_t)n) {
rem = recv(c->fd_tap, p + n, l2len - n, 0);
if (sadd_overflow(n, rem, &n))
@@ -1042,8 +1045,7 @@ redo:
/* Complete the partial read above before discarding a malformed
* frame, otherwise the stream will be inconsistent.
*/
- if (l2len < (ssize_t)sizeof(struct ethhdr) ||
- l2len > (ssize_t)ETH_MAX_MTU)
+ if (l2len < sizeof(struct ethhdr) || l2len > ETH_MAX_MTU)
goto next;
tap_add_packet(c, l2len, p);
--
2.43.0