From: Ferruh Yigit <ferruh.yigit@intel.com>
To: Bruce Richardson <bruce.richardson@intel.com>,
Olivier Matz <olivier.matz@6wind.com>,
Keith Wiles <keith.wiles@intel.com>
Cc: dev@dpdk.org, Hemant Agrawal <hemant.agrawal@nxp.com>,
Shreyansh Jain <shreyansh.jain@nxp.com>
Subject: Re: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum
Date: Thu, 20 Dec 2018 19:09:11 +0000 [thread overview]
Message-ID: <06be3a8e-d281-bb79-7147-30f4f9c2eeaf@intel.com> (raw)
In-Reply-To: <20181217155005.13457-1-bruce.richardson@intel.com>
On 12/17/2018 3:50 PM, Bruce Richardson wrote:
> The functions for checksumming the packet payload don't perform bounds
> checks, and are used by the TAP driver which does not do any bounds checks
> on the incoming packet either. This means a packet received with an
> incorrect IP header can read beyond the end of the mbuf.
>
> In the worst case, where the length is specified as being smaller than the
> IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that approx
> 4GB of memory will be read.
>
> To fix this, we can introduce a sanity check into the ipv4 function to
> ensure that underflow does not occur. Since the checksum function does not
> take the mbuf length as a parameter, we cannot check for overflow there,
> so we instead perform the checks in the TAP driver directly.
>
> Ideally, in a future release, all checksum functions should be modified to
> take a max buffer length parameter to fix this issue globally.
>
> NOTE: It appears that the dpaa driver also uses these functions, but from
> what I can see there, they are only used on TX, which means that there
> should be less need for parameter length checking, as the data does not
> come from an untrusted source. Perhaps maintainers, Hemant and Shreyansh,
> can confirm?
>
> CC: Hemant Agrawal <hemant.agrawal@nxp.com>
> CC: Shreyansh Jain <shreyansh.jain@nxp.com>
>
> Bruce Richardson (2):
> net: fix underflow for checksum of invalid IPv4 packets
> net/tap: add buffer overflow checks before checksum
Series applied to dpdk-next-net/master, thanks.
prev parent reply other threads:[~2018-12-20 19:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 15:50 Bruce Richardson
2018-12-17 15:50 ` [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson
2018-12-18 13:15 ` Hemant Agrawal
2018-12-18 13:18 ` Hemant Agrawal
2018-12-17 15:50 ` [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson
2018-12-20 19:08 ` Ferruh Yigit
2018-12-20 19:33 ` Wiles, Keith
2018-12-18 12:50 ` [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Hemant Agrawal
2018-12-18 13:12 ` Richardson, Bruce
2018-12-20 19:09 ` Ferruh Yigit [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06be3a8e-d281-bb79-7147-30f4f9c2eeaf@intel.com \
--to=ferruh.yigit@intel.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=keith.wiles@intel.com \
--cc=olivier.matz@6wind.com \
--cc=shreyansh.jain@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).