rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

Transmit offload needs to parse packet headers. If header fields have unexpected values the offload processing is skipped. The code currently uses nested ifs because there is relatively little input validation. The next patches will add missing input validation and a goto label is more appropriate to avoid deep if statement nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2025-02-26 07:27:39 +00:00 · 2015-07-15 17:13:32 +01:00 · 2015-07-15 17:13:32 +01:00 · 39b8e7dcaf
commit 39b8e7dcaf
parent cb48f67ad8
1 changed files with 22 additions and 19 deletions
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@ -2160,28 +2160,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
            size_t   eth_payload_len  = 0;

            int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
-            if (proto == ETH_P_IP)
+            if (proto != ETH_P_IP)
            {
-                DPRINTF("+++ C+ mode has IP packet\n");
-
-                /* not aligned */
-                eth_payload_data = saved_buffer + ETH_HLEN;
-                eth_payload_len  = saved_size   - ETH_HLEN;
-
-                ip = (ip_header*)eth_payload_data;
-
-                if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
-                    DPRINTF("+++ C+ mode packet has bad IP version %d "
-                        "expected %d\n", IP_HEADER_VERSION(ip),
-                        IP_HEADER_VERSION_4);
-                    ip = NULL;
-                } else {
-                    hlen = IP_HEADER_LENGTH(ip);
-                    ip_protocol = ip->ip_p;
-                    ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
-                }
+                goto skip_offload;
            }

+            DPRINTF("+++ C+ mode has IP packet\n");
+
+            /* not aligned */
+            eth_payload_data = saved_buffer + ETH_HLEN;
+            eth_payload_len  = saved_size   - ETH_HLEN;
+
+            ip = (ip_header*)eth_payload_data;
+
+            if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+                DPRINTF("+++ C+ mode packet has bad IP version %d "
+                    "expected %d\n", IP_HEADER_VERSION(ip),
+                    IP_HEADER_VERSION_4);
+                goto skip_offload;
+            }
+
+            hlen = IP_HEADER_LENGTH(ip);
+            ip_protocol = ip->ip_p;
+            ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
            if (ip)
            {
                if (txdw0 & CP_TX_IPCS)
@ -2377,6 +2379,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
            }
        }

+skip_offload:
        /* update tally counter */
        ++s->tally_counters.TxOk;