From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id CC85B1B141 for ; Mon, 15 Apr 2019 11:33:45 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Apr 2019 02:33:44 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,353,1549958400"; d="scan'208";a="161983255" Received: from silpixa00383879.ir.intel.com (HELO silpixa00383879.ger.corp.intel.com) ([10.237.222.142]) by fmsmga004.fm.intel.com with ESMTP; 15 Apr 2019 02:33:44 -0700 From: Radu Nicolau To: dev@dpdk.org Cc: declan.doherty@intel.com, chas3@att.com, Radu Nicolau Date: Mon, 15 Apr 2019 10:27:38 +0100 Message-Id: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> X-Mailer: git-send-email 2.7.5 Subject: [dpdk-dev] [PATCH] net/bonding: fix potential out of bounds read X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 09:33:46 -0000 Add validation to pointer constructed from the IPv4 header length in order to prevent malformed packets from generating a potential out of bounds memory read. Signed-off-by: Radu Nicolau --- drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index b0d191d..25dbddc 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, for (i = 0; i < nb_pkts; i++) { eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *); + size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_pkt_len(buf[i]); proto = eth_hdr->ether_type; vlan_offset = get_vlan_offset(eth_hdr, &proto); l3hash = 0; @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, tcp_hdr = (struct tcp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(tcp_hdr); + if ((size_t)tcp_hdr + sizeof(*tcp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(tcp_hdr); } else if (ipv4_hdr->next_proto_id == IPPROTO_UDP) { udp_hdr = (struct udp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(udp_hdr); + if ((size_t)udp_hdr + sizeof(*udp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(udp_hdr); } } } else if (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) { -- 2.7.5 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 75C72A00E6 for ; Mon, 15 Apr 2019 11:33:48 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A78951B142; Mon, 15 Apr 2019 11:33:46 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id CC85B1B141 for ; Mon, 15 Apr 2019 11:33:45 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Apr 2019 02:33:44 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,353,1549958400"; d="scan'208";a="161983255" Received: from silpixa00383879.ir.intel.com (HELO silpixa00383879.ger.corp.intel.com) ([10.237.222.142]) by fmsmga004.fm.intel.com with ESMTP; 15 Apr 2019 02:33:44 -0700 From: Radu Nicolau To: dev@dpdk.org Cc: declan.doherty@intel.com, chas3@att.com, Radu Nicolau Date: Mon, 15 Apr 2019 10:27:38 +0100 Message-Id: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> X-Mailer: git-send-email 2.7.5 Subject: [dpdk-dev] [PATCH] net/bonding: fix potential out of bounds read X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Content-Type: text/plain; charset="UTF-8" Message-ID: <20190415092738.m2jjzAHi_LIeW3ANDHAu9WTK5pT7MMaUfo5puvMQHeo@z> Add validation to pointer constructed from the IPv4 header length in order to prevent malformed packets from generating a potential out of bounds memory read. Signed-off-by: Radu Nicolau --- drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index b0d191d..25dbddc 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, for (i = 0; i < nb_pkts; i++) { eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *); + size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_pkt_len(buf[i]); proto = eth_hdr->ether_type; vlan_offset = get_vlan_offset(eth_hdr, &proto); l3hash = 0; @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, tcp_hdr = (struct tcp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(tcp_hdr); + if ((size_t)tcp_hdr + sizeof(*tcp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(tcp_hdr); } else if (ipv4_hdr->next_proto_id == IPPROTO_UDP) { udp_hdr = (struct udp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(udp_hdr); + if ((size_t)udp_hdr + sizeof(*udp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(udp_hdr); } } } else if (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) { -- 2.7.5