From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id 3DFB91B732; Mon, 17 Dec 2018 07:06:07 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Dec 2018 22:06:06 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,364,1539673200"; d="scan'208";a="260030919" Received: from dpdk15.sh.intel.com ([10.67.111.146]) by orsmga004.jf.intel.com with ESMTP; 16 Dec 2018 22:06:05 -0800 From: Jiayu Hu To: dev@dpdk.org Cc: Jiayu Hu , stable@dpdk.org Date: Mon, 17 Dec 2018 14:05:39 +0800 Message-Id: <1545026739-71980-1-git-send-email-jiayu.hu@intel.com> X-Mailer: git-send-email 2.7.4 Subject: [dpdk-dev] [PATCH] gro: fix overflow of payload length calculation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 06:06:08 -0000 When the packet length is smaller than the header length, the calculated payload length will be overflowed and result in incorrect reassembly behaviors. Fixes: 1e4cf4d6d4fb ("gro: cleanup") Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") Cc: stable@dpdk.org Signed-off-by: Jiayu Hu --- lib/librte_gro/gro_tcp4.c | 3 ++- lib/librte_gro/gro_vxlan_tcp4.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c index 2c0f35c..2fe9aab 100644 --- a/lib/librte_gro/gro_tcp4.c +++ b/lib/librte_gro/gro_tcp4.c @@ -198,7 +198,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt, struct ipv4_hdr *ipv4_hdr; struct tcp_hdr *tcp_hdr; uint32_t sent_seq; - uint16_t tcp_dl, ip_id, hdr_len, frag_off; + int32_t tcp_dl; + uint16_t ip_id, hdr_len, frag_off; uint8_t is_atomic; struct tcp4_flow_key key; diff --git a/lib/librte_gro/gro_vxlan_tcp4.c b/lib/librte_gro/gro_vxlan_tcp4.c index ca86f01..955ae4b 100644 --- a/lib/librte_gro/gro_vxlan_tcp4.c +++ b/lib/librte_gro/gro_vxlan_tcp4.c @@ -295,7 +295,8 @@ gro_vxlan_tcp4_reassemble(struct rte_mbuf *pkt, struct udp_hdr *udp_hdr; struct vxlan_hdr *vxlan_hdr; uint32_t sent_seq; - uint16_t tcp_dl, frag_off, outer_ip_id, ip_id; + int32_t tcp_dl; + uint16_t frag_off, outer_ip_id, ip_id; uint8_t outer_is_atomic, is_atomic; struct vxlan_tcp4_flow_key key; -- 2.7.4