From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: Bruce Richardson <bruce.richardson@intel.com>,
Olivier Matz <olivier.matz@6wind.com>,
Keith Wiles <keith.wiles@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, Shreyansh Jain <shreyansh.jain@nxp.com>
Subject: Re: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum
Date: Tue, 18 Dec 2018 12:50:20 +0000 [thread overview]
Message-ID: <10fc6b4f-70b2-3200-4289-a86b926b4053@nxp.com> (raw)
In-Reply-To: <20181217155005.13457-1-bruce.richardson@intel.com>
HI Bruce,
On 17-Dec-18 9:20 PM, Bruce Richardson wrote:
> The functions for checksumming the packet payload don't perform bounds
> checks, and are used by the TAP driver which does not do any bounds checks
> on the incoming packet either. This means a packet received with an
> incorrect IP header can read beyond the end of the mbuf.
>
> In the worst case, where the length is specified as being smaller than the
> IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that approx
> 4GB of memory will be read.
>
> To fix this, we can introduce a sanity check into the ipv4 function to
> ensure that underflow does not occur. Since the checksum function does not
> take the mbuf length as a parameter, we cannot check for overflow there,
> so we instead perform the checks in the TAP driver directly.
>
> Ideally, in a future release, all checksum functions should be modified to
> take a max buffer length parameter to fix this issue globally.
>
> NOTE: It appears that the dpaa driver also uses these functions, but from
> what I can see there, they are only used on TX, which means that there
> should be less need for parameter length checking, as the data does not
> come from an untrusted source. Perhaps maintainers, Hemant and Shreyansh,
> can confirm?
In DPAA, we are using software based checksum calculation for self
generated packets largely.
They are mostly trust worthy unless someone is deliberately or
mistakenly trying to send a corrupt packet.
We will check, if we can also add some checks in DPAA driver in these
legs without making performance impact for self generated packets.
Regards,
Hemant
>
> CC: Hemant Agrawal <hemant.agrawal@nxp.com>
> CC: Shreyansh Jain <shreyansh.jain@nxp.com>
>
> Bruce Richardson (2):
> net: fix underflow for checksum of invalid IPv4 packets
> net/tap: add buffer overflow checks before checksum
>
> drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++
> lib/librte_net/rte_ip.h | 12 ++++++++----
> 2 files changed, 22 insertions(+), 4 deletions(-)
>
next prev parent reply other threads:[~2018-12-18 12:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 15:50 Bruce Richardson
2018-12-17 15:50 ` [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson
2018-12-18 13:15 ` Hemant Agrawal
2018-12-18 13:18 ` Hemant Agrawal
2018-12-17 15:50 ` [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson
2018-12-20 19:08 ` Ferruh Yigit
2018-12-20 19:33 ` Wiles, Keith
2018-12-18 12:50 ` Hemant Agrawal [this message]
2018-12-18 13:12 ` [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Richardson, Bruce
2018-12-20 19:09 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10fc6b4f-70b2-3200-4289-a86b926b4053@nxp.com \
--to=hemant.agrawal@nxp.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=keith.wiles@intel.com \
--cc=olivier.matz@6wind.com \
--cc=shreyansh.jain@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).