From d0b1f19bbace6d59316844999b863dd6cc88e8ae Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Sat, 1 Aug 2015 08:39:27 -0400
Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing
 (CVE-2015-5165)

RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: <1438418373-7324-2-git-send-email-stefanha@redhat.com>
Patchwork-id: 67258
O-Subject: [virt-devel] [RHEL-6.7.z qemu-kvm EMBARGOED PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Bugzilla: 1248761
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jeff E. Nelson <jen@redhat.com>
---
 hw/rtl8139.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index e515488..9f5907e 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -2156,26 +2156,28 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
             size_t   eth_payload_len  = 0;
 
             int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
-            if (proto == ETH_P_IP)
+            if (proto != ETH_P_IP)
             {
-                DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n"));
+                goto skip_offload;
+            }
+
+            DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n"));
 
-                /* not aligned */
-                eth_payload_data = saved_buffer + ETH_HLEN;
-                eth_payload_len  = saved_size   - ETH_HLEN;
+            /* not aligned */
+            eth_payload_data = saved_buffer + ETH_HLEN;
+            eth_payload_len  = saved_size   - ETH_HLEN;
 
-                ip = (ip_header*)eth_payload_data;
+            ip = (ip_header*)eth_payload_data;
 
-                if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
-                    DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d expected %d\n", IP_HEADER_VERSION(ip), IP_HEADER_VERSION_4));
-                    ip = NULL;
-                } else {
-                    hlen = IP_HEADER_LENGTH(ip);
-                    ip_protocol = ip->ip_p;
-                    ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
-                }
+            if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+                DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d expected %d\n", IP_HEADER_VERSION(ip), IP_HEADER_VERSION_4));
+                goto skip_offload;
             }
 
+            hlen = IP_HEADER_LENGTH(ip);
+            ip_protocol = ip->ip_p;
+            ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
             if (ip)
             {
                 if (txdw0 & CP_TX_IPCS)
@@ -2359,6 +2361,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
             }
         }
 
+skip_offload:
         /* update tally counter */
         ++s->tally_counters.TxOk;
 
-- 
2.1.0