From: Olivier Matz <olivier.matz@6wind.com>
To: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Cc: marko.kovacevic@intel.com, orika@mellanox.com,
bruce.richardson@intel.com, pablo.de.lara.guarch@intel.com,
radu.nicolau@intel.com, akhil.goyal@nxp.com,
tomasz.kantecki@intel.com, konstantin.ananyev@intel.com,
bernard.iremonger@intel.com, dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH v2 1/4] net: new ipv6 header extension parsing function
Date: Tue, 2 Jul 2019 11:06:50 +0200 [thread overview]
Message-ID: <20190702090650.kumw2o22woe52vbk@platinum> (raw)
In-Reply-To: <20190624134000.2456-2-marcinx.smoczynski@intel.com>
Hi,
On Mon, Jun 24, 2019 at 03:39:57PM +0200, Marcin Smoczynski wrote:
> Introduce new function for IPv6 header extension parsing able to
> determine extension length and next protocol number.
>
> This function is helpful when implementing IPv6 header traversing.
>
> Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
> ---
> lib/librte_net/rte_ip.h | 49 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 49 insertions(+)
>
> diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
> index ae3b7e730..c2c67b85d 100644
> --- a/lib/librte_net/rte_ip.h
> +++ b/lib/librte_net/rte_ip.h
> @@ -428,6 +428,55 @@ rte_ipv6_udptcp_cksum(const struct rte_ipv6_hdr *ipv6_hdr, const void *l4_hdr)
> return (uint16_t)cksum;
> }
>
> +/* IPv6 fragmentation header size */
> +#define RTE_IPV6_FRAG_HDR_SIZE 8
> +
> +/**
> + * Parse next IPv6 header extension
> + *
> + * This function checks if proto number is an IPv6 extensions and parses its
> + * data if so, providing information on next header and extension length.
> + *
> + * @param p
> + * Pointer to an extension raw data.
> + * @param proto
> + * Protocol number extracted from the "next header" field from
> + * the IPv6 header or the previous extension.
> + * @param ext_len
> + * Extension data length.
> + * @return
> + * next protocol number if proto is an IPv6 extension, -EINVAL otherwise
> + */
> +static inline int __rte_experimental
> +rte_ipv6_get_next_ext(uint8_t *p, int proto, size_t *ext_len)
> +{
> + int next_proto;
> +
> + switch (proto) {
> + case IPPROTO_AH:
> + next_proto = *p++;
> + *ext_len = (*p + 2) * sizeof(uint32_t);
> + break;
> +
> + case IPPROTO_HOPOPTS:
> + case IPPROTO_ROUTING:
> + case IPPROTO_DSTOPTS:
> + next_proto = *p++;
> + *ext_len = (*p + 1) * sizeof(uint64_t);
> + break;
> +
> + case IPPROTO_FRAGMENT:
> + next_proto = *p;
> + *ext_len = RTE_IPV6_FRAG_HDR_SIZE;
> + break;
> +
> + default:
> + return -EINVAL;
> + }
> +
> + return next_proto;
> +}
> +
> #ifdef __cplusplus
> }
> #endif
I just want to highlight the potential danger of this kind of function: then
length is read from the packet (controlled by the peer), and returned without
check.
My initial fear was that an attacker forge an IPv6 packet, resulting in *ext_len
being 0. For instance, calling the function with (proto = IPPROTO_ROUTING,
buffer = [ 0, 255, ... ]). Fortunatly, this does not happen, due to the implicit
promotion of *p to a larger integer in the (*p + 1) expression.
That said, what about adding some comments in the description, saying that:
- the pointer p must point to a buffer whose length is at least 2
- the returned length must be checked by the caller to ensure it does not
overflow the packet buffer
You can add my ack in the next version.
Thanks,
Olivier
next prev parent reply other threads:[~2019-07-02 9:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-08 10:47 [dpdk-dev] [PATCH 1/3] " Marcin Smoczynski
2019-05-08 10:47 ` Marcin Smoczynski
2019-05-08 10:47 ` [dpdk-dev] [PATCH 2/3] ipsec: fix transport mode for ipv6 with extensions Marcin Smoczynski
2019-05-08 10:47 ` Marcin Smoczynski
2019-05-14 12:42 ` Ananyev, Konstantin
2019-05-14 12:42 ` Ananyev, Konstantin
2019-06-20 12:07 ` Akhil Goyal
2019-05-08 10:47 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add support for ipv6 options Marcin Smoczynski
2019-05-08 10:47 ` Marcin Smoczynski
2019-05-14 12:51 ` Ananyev, Konstantin
2019-05-14 12:51 ` Ananyev, Konstantin
2019-05-14 12:48 ` [dpdk-dev] [PATCH 1/3] net: new ipv6 header extension parsing function Ananyev, Konstantin
2019-05-14 12:48 ` Ananyev, Konstantin
2019-06-20 11:40 ` Akhil Goyal
2019-06-20 17:40 ` Ananyev, Konstantin
2019-06-21 8:01 ` Akhil Goyal
2019-06-24 11:45 ` Smoczynski, MarcinX
2019-06-25 12:57 ` Akhil Goyal
2019-06-24 13:39 ` [dpdk-dev] [PATCH v2 0/4] IPv6 with options support for IPsec transport Marcin Smoczynski
2019-06-24 13:39 ` [dpdk-dev] [PATCH v2 1/4] net: new ipv6 header extension parsing function Marcin Smoczynski
2019-06-24 18:54 ` Ananyev, Konstantin
2019-07-02 9:06 ` Olivier Matz [this message]
2019-06-24 13:39 ` [dpdk-dev] [PATCH v2 2/4] ipsec: fix transport mode for ipv6 with extensions Marcin Smoczynski
2019-06-24 18:55 ` Ananyev, Konstantin
2019-06-24 13:39 ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add support for ipv6 options Marcin Smoczynski
2019-06-24 18:55 ` Ananyev, Konstantin
2019-06-24 13:40 ` [dpdk-dev] [PATCH v2 4/4] examples/ipsec-secgw: add scapy based unittests Marcin Smoczynski
2019-06-24 18:56 ` Ananyev, Konstantin
2019-06-25 12:59 ` [dpdk-dev] [PATCH v2 0/4] IPv6 with options support for IPsec transport Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702090650.kumw2o22woe52vbk@platinum \
--to=olivier.matz@6wind.com \
--cc=akhil.goyal@nxp.com \
--cc=bernard.iremonger@intel.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=marcinx.smoczynski@intel.com \
--cc=marko.kovacevic@intel.com \
--cc=orika@mellanox.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=radu.nicolau@intel.com \
--cc=tomasz.kantecki@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).