Skip to content

Commit

Permalink
net/virtio: fix Rx checksum calculation
Browse files Browse the repository at this point in the history 
If hdr->csum_start is larger than packet length, the len argument passed
to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.

Ignore checksum computation in this case.

CVE-2024-11614

Fixes: ca7036b ("vhost: fix offload flags in Rx path")

Signed-off-by: Maxime Gouin <maxime.gouin@6wind.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
  • Loading branch information
@olivier-matz-6wind @david-marchand
olivier-matz-6wind authored and david-marchand committed Dec 17, 2024
1 parent 7df61db commit 4dc4e33
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/vhost/virtio_net.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2823,6 +2823,9 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
*/
uint16_t csum = 0, off;

if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
return;

if (rte_raw_cksum_mbuf(m, hdr->csum_start,
rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) < 0)
return;
Expand Down

0 comments on commit 4dc4e33

Please sign in to comment.