* [dpdk-dev] [PATCH 1/2] ip_frag: check fragment length of incoming packet
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
@ 2018-11-05 10:26 ` Konstantin Ananyev
2018-11-05 11:37 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2018-11-05 10:26 ` [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
` (6 subsequent siblings)
7 siblings, 1 reply; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 10:26 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
<ofs=0,len=100, flags=MF>
<ofs=96,len=100, flags=MF>
<ofs=200,len=0,flags=MF>
<ofs=200,len=100,flags=0>
can trigger the problem.
To overcome such situation, added check that fragment length
of incoming value is greater than zero.
Reported-by: <ryan.e.hall@intel.com>
Reported-by: <alexander.v.gutkin@intel.com>
Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
2 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 4956b99ea..1029b7abc 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -36,8 +36,11 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if(fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -96,14 +99,14 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
*/
struct rte_mbuf *
rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv4_hdr *ip_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv4_hdr *ip_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
const unaligned_uint64_t *psd;
- uint16_t ip_len;
uint16_t flag_offset, ip_ofs, ip_flag;
+ int32_t ip_len;
flag_offset = rte_be_to_cpu_16(ip_hdr->fragment_offset);
ip_ofs = (uint16_t)(flag_offset & IPV4_HDR_OFFSET_MASK);
@@ -116,12 +119,11 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
key.key_len = IPV4_KEYLEN;
ip_ofs *= IPV4_HDR_OFFSET_UNITS;
- ip_len = (uint16_t)(rte_be_to_cpu_16(ip_hdr->total_length) -
- mb->l3_len);
+ ip_len = rte_be_to_cpu_16(ip_hdr->total_length) - mb->l3_len;
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -129,6 +131,12 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
if ((fp = ip_frag_find(tbl, dr, &key, tms)) == NULL) {
IP_FRAG_MBUF2DR(dr, mb);
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index db249fe60..855e3f740 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -59,8 +59,11 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if (fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -135,12 +138,13 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
#define FRAG_OFFSET(x) (rte_cpu_to_be_16(x) >> 3)
struct rte_mbuf *
rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
- uint16_t ip_len, ip_ofs;
+ uint16_t ip_ofs;
+ int32_t ip_len;
rte_memcpy(&key.src_dst[0], ip_hdr->src_addr, 16);
rte_memcpy(&key.src_dst[2], ip_hdr->dst_addr, 16);
@@ -151,15 +155,17 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
ip_ofs = FRAG_OFFSET(frag_hdr->frag_data) * 8;
/*
- * as per RFC2460, payload length contains all extension headers as well.
- * since we don't support anything but frag headers, this is what we remove
- * from the payload len.
+ * as per RFC2460, payload length contains all extension headers
+ * as well.
+ * since we don't support anything but frag headers,
+ * this is what we remove from the payload len.
*/
ip_len = rte_be_to_cpu_16(ip_hdr->payload_len) - sizeof(*frag_hdr);
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, "
+ "ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -168,6 +174,12 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
fp = ip_frag_find(tbl, dr, &key, tms);
if (fp == NULL) {
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [dpdk-stable] [PATCH 1/2] ip_frag: check fragment length of incoming packet
2018-11-05 10:26 ` [dpdk-dev] [PATCH 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
@ 2018-11-05 11:37 ` Thomas Monjalon
0 siblings, 0 replies; 13+ messages in thread
From: Thomas Monjalon @ 2018-11-05 11:37 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: stable, dev, ryan.e.hall, alexander.v.gutkin
05/11/2018 11:26, Konstantin Ananyev:
> Under some conditions ill-formed fragments might cause
> reassembly code to corrupt mbufs and/or crash.
> Let say the following fragments sequence:
> <ofs=0,len=100, flags=MF>
> <ofs=96,len=100, flags=MF>
> <ofs=200,len=0,flags=MF>
> <ofs=200,len=100,flags=0>
> can trigger the problem.
> To overcome such situation, added check that fragment length
> of incoming value is greater than zero.
>
> Reported-by: <ryan.e.hall@intel.com>
> Reported-by: <alexander.v.gutkin@intel.com>
Please, could you provide the full names?
Note: it is usually inserted just before your Signed-off.
> Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
> Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
> Cc: stable@dpdk.org
>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
2018-11-05 10:26 ` [dpdk-dev] [PATCH 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
@ 2018-11-05 10:26 ` Konstantin Ananyev
2018-11-05 12:11 ` [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (5 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 10:26 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Right now reassembly code relies on src_dst[] being all zeroes to
determine is it free/occupied entry in the fragments table.
This is suboptimal and error prone - user can crash DPDK ip_reassembly
app by something like the following scapy script:
x=Ether(src=...,dst=...)/IP(dst='0.0.0.0',src='0.0.0.0',id=0)/('X'*1000)
frags=fragment(x, fragsize=500)
sendp(frags, iface=...)
To overcome that issue and reduce overhead of
'key invalidate' and 'key is empty' operations -
add key_len into keys comparision procedure.
Reported-by: <ryan.e.hall@intel.com>
Reported-by: <alexander.v.gutkin@intel.com>
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/ip_frag_common.h | 14 ++++----------
lib/librte_ip_frag/rte_ip_frag.h | 14 +++++++++++---
2 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/lib/librte_ip_frag/ip_frag_common.h b/lib/librte_ip_frag/ip_frag_common.h
index 0f62e2e16..a17a74076 100644
--- a/lib/librte_ip_frag/ip_frag_common.h
+++ b/lib/librte_ip_frag/ip_frag_common.h
@@ -58,20 +58,14 @@ struct rte_mbuf *ipv6_frag_reassemble(struct ip_frag_pkt *fp);
static inline int
ip_frag_key_is_empty(const struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < RTE_MIN(key->key_len, RTE_DIM(key->src_dst)); i++)
- if (key->src_dst[i] != 0)
- return 0;
- return 1;
+ return (key->key_len == 0);
}
-/* empty the key */
+/* invalidate the key */
static inline void
ip_frag_key_invalidate(struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < key->key_len; i++)
- key->src_dst[i] = 0;
+ key->key_len = 0;
}
/* compare two keys */
@@ -80,7 +74,7 @@ ip_frag_key_cmp(const struct ip_frag_key * k1, const struct ip_frag_key * k2)
{
uint32_t i;
uint64_t val;
- val = k1->id ^ k2->id;
+ val = k1->id_key_len ^ k2->id_key_len;
for (i = 0; i < k1->key_len; i++)
val |= k1->src_dst[i] ^ k2->src_dst[i];
return val;
diff --git a/lib/librte_ip_frag/rte_ip_frag.h b/lib/librte_ip_frag/rte_ip_frag.h
index 7f425f610..a4ccaf9d1 100644
--- a/lib/librte_ip_frag/rte_ip_frag.h
+++ b/lib/librte_ip_frag/rte_ip_frag.h
@@ -44,9 +44,17 @@ struct ip_frag {
/** @internal <src addr, dst_addr, id> to uniquely identify fragmented datagram. */
struct ip_frag_key {
- uint64_t src_dst[4]; /**< src address, first 8 bytes used for IPv4 */
- uint32_t id; /**< dst address */
- uint32_t key_len; /**< src/dst key length */
+ uint64_t src_dst[4];
+ /**< src and dst address, only first 8 bytes used for IPv4 */
+ RTE_STD_C11
+ union {
+ uint64_t id_key_len; /**< combined for easy fetch */
+ __extension__
+ struct {
+ uint32_t id; /**< packet id */
+ uint32_t key_len; /**< src/dst key length */
+ };
+ };
};
/**
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
2018-11-05 10:26 ` [dpdk-dev] [PATCH 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
2018-11-05 10:26 ` [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
@ 2018-11-05 12:11 ` Konstantin Ananyev
2018-11-05 12:11 ` [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
` (4 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:11 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Fix 2 issues reported in reassembly code path.
Konstantin Ananyev (2):
ip_frag: check fragment length of incoming packet
ip_frag: use key length for key comparision
lib/librte_ip_frag/ip_frag_common.h | 14 ++++--------
lib/librte_ip_frag/rte_ip_frag.h | 14 +++++++++---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
4 files changed, 50 insertions(+), 28 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (2 preceding siblings ...)
2018-11-05 12:11 ` [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
@ 2018-11-05 12:11 ` Konstantin Ananyev
2018-11-05 12:11 ` [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
` (3 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:11 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
<ofs=0,len=100, flags=MF>
<ofs=96,len=100, flags=MF>
<ofs=200,len=0,flags=MF>
<ofs=200,len=100,flags=0>
can trigger the problem.
To overcome such situation, added check that fragment length
of incoming value is greater than zero.
Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
2 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 4956b99ea..1029b7abc 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -36,8 +36,11 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if(fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -96,14 +99,14 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
*/
struct rte_mbuf *
rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv4_hdr *ip_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv4_hdr *ip_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
const unaligned_uint64_t *psd;
- uint16_t ip_len;
uint16_t flag_offset, ip_ofs, ip_flag;
+ int32_t ip_len;
flag_offset = rte_be_to_cpu_16(ip_hdr->fragment_offset);
ip_ofs = (uint16_t)(flag_offset & IPV4_HDR_OFFSET_MASK);
@@ -116,12 +119,11 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
key.key_len = IPV4_KEYLEN;
ip_ofs *= IPV4_HDR_OFFSET_UNITS;
- ip_len = (uint16_t)(rte_be_to_cpu_16(ip_hdr->total_length) -
- mb->l3_len);
+ ip_len = rte_be_to_cpu_16(ip_hdr->total_length) - mb->l3_len;
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -129,6 +131,12 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
if ((fp = ip_frag_find(tbl, dr, &key, tms)) == NULL) {
IP_FRAG_MBUF2DR(dr, mb);
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index db249fe60..855e3f740 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -59,8 +59,11 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if (fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -135,12 +138,13 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
#define FRAG_OFFSET(x) (rte_cpu_to_be_16(x) >> 3)
struct rte_mbuf *
rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
- uint16_t ip_len, ip_ofs;
+ uint16_t ip_ofs;
+ int32_t ip_len;
rte_memcpy(&key.src_dst[0], ip_hdr->src_addr, 16);
rte_memcpy(&key.src_dst[2], ip_hdr->dst_addr, 16);
@@ -151,15 +155,17 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
ip_ofs = FRAG_OFFSET(frag_hdr->frag_data) * 8;
/*
- * as per RFC2460, payload length contains all extension headers as well.
- * since we don't support anything but frag headers, this is what we remove
- * from the payload len.
+ * as per RFC2460, payload length contains all extension headers
+ * as well.
+ * since we don't support anything but frag headers,
+ * this is what we remove from the payload len.
*/
ip_len = rte_be_to_cpu_16(ip_hdr->payload_len) - sizeof(*frag_hdr);
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, "
+ "ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -168,6 +174,12 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
fp = ip_frag_find(tbl, dr, &key, tms);
if (fp == NULL) {
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (3 preceding siblings ...)
2018-11-05 12:11 ` [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
@ 2018-11-05 12:11 ` Konstantin Ananyev
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (2 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:11 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Right now reassembly code relies on src_dst[] being all zeroes to
determine is it free/occupied entry in the fragments table.
This is suboptimal and error prone - user can crash DPDK ip_reassembly
app by something like the following scapy script:
x=Ether(src=...,dst=...)/IP(dst='0.0.0.0',src='0.0.0.0',id=0)/('X'*1000)
frags=fragment(x, fragsize=500)
sendp(frags, iface=...)
To overcome that issue and reduce overhead of
'key invalidate' and 'key is empty' operations -
add key_len into keys comparision procedure.
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/ip_frag_common.h | 14 ++++----------
lib/librte_ip_frag/rte_ip_frag.h | 14 +++++++++++---
2 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/lib/librte_ip_frag/ip_frag_common.h b/lib/librte_ip_frag/ip_frag_common.h
index 0f62e2e16..a17a74076 100644
--- a/lib/librte_ip_frag/ip_frag_common.h
+++ b/lib/librte_ip_frag/ip_frag_common.h
@@ -58,20 +58,14 @@ struct rte_mbuf *ipv6_frag_reassemble(struct ip_frag_pkt *fp);
static inline int
ip_frag_key_is_empty(const struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < RTE_MIN(key->key_len, RTE_DIM(key->src_dst)); i++)
- if (key->src_dst[i] != 0)
- return 0;
- return 1;
+ return (key->key_len == 0);
}
-/* empty the key */
+/* invalidate the key */
static inline void
ip_frag_key_invalidate(struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < key->key_len; i++)
- key->src_dst[i] = 0;
+ key->key_len = 0;
}
/* compare two keys */
@@ -80,7 +74,7 @@ ip_frag_key_cmp(const struct ip_frag_key * k1, const struct ip_frag_key * k2)
{
uint32_t i;
uint64_t val;
- val = k1->id ^ k2->id;
+ val = k1->id_key_len ^ k2->id_key_len;
for (i = 0; i < k1->key_len; i++)
val |= k1->src_dst[i] ^ k2->src_dst[i];
return val;
diff --git a/lib/librte_ip_frag/rte_ip_frag.h b/lib/librte_ip_frag/rte_ip_frag.h
index 7f425f610..a4ccaf9d1 100644
--- a/lib/librte_ip_frag/rte_ip_frag.h
+++ b/lib/librte_ip_frag/rte_ip_frag.h
@@ -44,9 +44,17 @@ struct ip_frag {
/** @internal <src addr, dst_addr, id> to uniquely identify fragmented datagram. */
struct ip_frag_key {
- uint64_t src_dst[4]; /**< src address, first 8 bytes used for IPv4 */
- uint32_t id; /**< dst address */
- uint32_t key_len; /**< src/dst key length */
+ uint64_t src_dst[4];
+ /**< src and dst address, only first 8 bytes used for IPv4 */
+ RTE_STD_C11
+ union {
+ uint64_t id_key_len; /**< combined for easy fetch */
+ __extension__
+ struct {
+ uint32_t id; /**< packet id */
+ uint32_t key_len; /**< src/dst key length */
+ };
+ };
};
/**
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (4 preceding siblings ...)
2018-11-05 12:11 ` [dpdk-dev] [PATCH 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
@ 2018-11-05 12:18 ` Konstantin Ananyev
2018-11-06 0:58 ` Thomas Monjalon
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
7 siblings, 1 reply; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:18 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Fix 2 issues reported in reassembly code path.
Konstantin Ananyev (2):
ip_frag: check fragment length of incoming packet
ip_frag: use key length for key comparision
lib/librte_ip_frag/ip_frag_common.h | 14 ++++--------
lib/librte_ip_frag/rte_ip_frag.h | 14 +++++++++---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
4 files changed, 50 insertions(+), 28 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (5 preceding siblings ...)
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
@ 2018-11-05 12:18 ` Konstantin Ananyev
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
7 siblings, 0 replies; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:18 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
<ofs=0,len=100, flags=MF>
<ofs=96,len=100, flags=MF>
<ofs=200,len=0,flags=MF>
<ofs=200,len=100,flags=0>
can trigger the problem.
To overcome such situation, added check that fragment length
of incoming value is greater than zero.
Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
2 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 4956b99ea..1029b7abc 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -36,8 +36,11 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if(fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -96,14 +99,14 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
*/
struct rte_mbuf *
rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv4_hdr *ip_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv4_hdr *ip_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
const unaligned_uint64_t *psd;
- uint16_t ip_len;
uint16_t flag_offset, ip_ofs, ip_flag;
+ int32_t ip_len;
flag_offset = rte_be_to_cpu_16(ip_hdr->fragment_offset);
ip_ofs = (uint16_t)(flag_offset & IPV4_HDR_OFFSET_MASK);
@@ -116,12 +119,11 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
key.key_len = IPV4_KEYLEN;
ip_ofs *= IPV4_HDR_OFFSET_UNITS;
- ip_len = (uint16_t)(rte_be_to_cpu_16(ip_hdr->total_length) -
- mb->l3_len);
+ ip_len = rte_be_to_cpu_16(ip_hdr->total_length) - mb->l3_len;
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -129,6 +131,12 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
if ((fp = ip_frag_find(tbl, dr, &key, tms)) == NULL) {
IP_FRAG_MBUF2DR(dr, mb);
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index db249fe60..855e3f740 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -59,8 +59,11 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
/* previous fragment found. */
if (fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
/* this mbuf should not be accessed directly */
@@ -135,12 +138,13 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
#define FRAG_OFFSET(x) (rte_cpu_to_be_16(x) >> 3)
struct rte_mbuf *
rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
- uint16_t ip_len, ip_ofs;
+ uint16_t ip_ofs;
+ int32_t ip_len;
rte_memcpy(&key.src_dst[0], ip_hdr->src_addr, 16);
rte_memcpy(&key.src_dst[2], ip_hdr->dst_addr, 16);
@@ -151,15 +155,17 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
ip_ofs = FRAG_OFFSET(frag_hdr->frag_data) * 8;
/*
- * as per RFC2460, payload length contains all extension headers as well.
- * since we don't support anything but frag headers, this is what we remove
- * from the payload len.
+ * as per RFC2460, payload length contains all extension headers
+ * as well.
+ * since we don't support anything but frag headers,
+ * this is what we remove from the payload len.
*/
ip_len = rte_be_to_cpu_16(ip_hdr->payload_len) - sizeof(*frag_hdr);
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, "
+ "ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
__func__, __LINE__,
@@ -168,6 +174,12 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
fp = ip_frag_find(tbl, dr, &key, tms);
if (fp == NULL) {
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision
2018-11-05 10:26 [dpdk-dev] [PATCH 0/2] ip_frag: two fixes in reassembly code Konstantin Ananyev
` (6 preceding siblings ...)
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 1/2] ip_frag: check fragment length of incoming packet Konstantin Ananyev
@ 2018-11-05 12:18 ` Konstantin Ananyev
2018-11-06 10:53 ` Burakov, Anatoly
7 siblings, 1 reply; 13+ messages in thread
From: Konstantin Ananyev @ 2018-11-05 12:18 UTC (permalink / raw)
To: dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin, Konstantin Ananyev
Right now reassembly code relies on src_dst[] being all zeroes to
determine is it free/occupied entry in the fragments table.
This is suboptimal and error prone - user can crash DPDK ip_reassembly
app by something like the following scapy script:
x=Ether(src=...,dst=...)/IP(dst='0.0.0.0',src='0.0.0.0',id=0)/('X'*1000)
frags=fragment(x, fragsize=500)
sendp(frags, iface=...)
To overcome that issue and reduce overhead of
'key invalidate' and 'key is empty' operations -
add key_len into keys comparision procedure.
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
lib/librte_ip_frag/ip_frag_common.h | 14 ++++----------
lib/librte_ip_frag/rte_ip_frag.h | 14 +++++++++++---
2 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/lib/librte_ip_frag/ip_frag_common.h b/lib/librte_ip_frag/ip_frag_common.h
index 0f62e2e16..a17a74076 100644
--- a/lib/librte_ip_frag/ip_frag_common.h
+++ b/lib/librte_ip_frag/ip_frag_common.h
@@ -58,20 +58,14 @@ struct rte_mbuf *ipv6_frag_reassemble(struct ip_frag_pkt *fp);
static inline int
ip_frag_key_is_empty(const struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < RTE_MIN(key->key_len, RTE_DIM(key->src_dst)); i++)
- if (key->src_dst[i] != 0)
- return 0;
- return 1;
+ return (key->key_len == 0);
}
-/* empty the key */
+/* invalidate the key */
static inline void
ip_frag_key_invalidate(struct ip_frag_key * key)
{
- uint32_t i;
- for (i = 0; i < key->key_len; i++)
- key->src_dst[i] = 0;
+ key->key_len = 0;
}
/* compare two keys */
@@ -80,7 +74,7 @@ ip_frag_key_cmp(const struct ip_frag_key * k1, const struct ip_frag_key * k2)
{
uint32_t i;
uint64_t val;
- val = k1->id ^ k2->id;
+ val = k1->id_key_len ^ k2->id_key_len;
for (i = 0; i < k1->key_len; i++)
val |= k1->src_dst[i] ^ k2->src_dst[i];
return val;
diff --git a/lib/librte_ip_frag/rte_ip_frag.h b/lib/librte_ip_frag/rte_ip_frag.h
index 7f425f610..a4ccaf9d1 100644
--- a/lib/librte_ip_frag/rte_ip_frag.h
+++ b/lib/librte_ip_frag/rte_ip_frag.h
@@ -44,9 +44,17 @@ struct ip_frag {
/** @internal <src addr, dst_addr, id> to uniquely identify fragmented datagram. */
struct ip_frag_key {
- uint64_t src_dst[4]; /**< src address, first 8 bytes used for IPv4 */
- uint32_t id; /**< dst address */
- uint32_t key_len; /**< src/dst key length */
+ uint64_t src_dst[4];
+ /**< src and dst address, only first 8 bytes used for IPv4 */
+ RTE_STD_C11
+ union {
+ uint64_t id_key_len; /**< combined for easy fetch */
+ __extension__
+ struct {
+ uint32_t id; /**< packet id */
+ uint32_t key_len; /**< src/dst key length */
+ };
+ };
};
/**
--
2.17.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision
2018-11-05 12:18 ` [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision Konstantin Ananyev
@ 2018-11-06 10:53 ` Burakov, Anatoly
2018-11-06 11:41 ` Ananyev, Konstantin
0 siblings, 1 reply; 13+ messages in thread
From: Burakov, Anatoly @ 2018-11-06 10:53 UTC (permalink / raw)
To: Konstantin Ananyev, dev; +Cc: stable, ryan.e.hall, alexander.v.gutkin
On 05-Nov-18 12:18 PM, Konstantin Ananyev wrote:
> Right now reassembly code relies on src_dst[] being all zeroes to
> determine is it free/occupied entry in the fragments table.
> This is suboptimal and error prone - user can crash DPDK ip_reassembly
> app by something like the following scapy script:
> x=Ether(src=...,dst=...)/IP(dst='0.0.0.0',src='0.0.0.0',id=0)/('X'*1000)
> frags=fragment(x, fragsize=500)
> sendp(frags, iface=...)
> To overcome that issue and reduce overhead of
> 'key invalidate' and 'key is empty' operations -
> add key_len into keys comparision procedure.
>
> Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
> Cc: stable@dpdk.org
>
> Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
> Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
> @@ -44,9 +44,17 @@ struct ip_frag {
>
> /** @internal <src addr, dst_addr, id> to uniquely identify fragmented datagram. */
> struct ip_frag_key {
> - uint64_t src_dst[4]; /**< src address, first 8 bytes used for IPv4 */
> - uint32_t id; /**< dst address */
> - uint32_t key_len; /**< src/dst key length */
> + uint64_t src_dst[4];
> + /**< src and dst address, only first 8 bytes used for IPv4 */
> + RTE_STD_C11
> + union {
> + uint64_t id_key_len; /**< combined for easy fetch */
> + __extension__
> + struct {
> + uint32_t id; /**< packet id */
> + uint32_t key_len; /**< src/dst key length */
> + };
> + };
> };
Would that break ABI?
>
> /**
>
--
Thanks,
Anatoly
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision
2018-11-06 10:53 ` Burakov, Anatoly
@ 2018-11-06 11:41 ` Ananyev, Konstantin
0 siblings, 0 replies; 13+ messages in thread
From: Ananyev, Konstantin @ 2018-11-06 11:41 UTC (permalink / raw)
To: Burakov, Anatoly, dev; +Cc: stable, Hall, Ryan E, Gutkin, Alexander V
> -----Original Message-----
> From: Burakov, Anatoly
> Sent: Tuesday, November 6, 2018 10:54 AM
> To: Ananyev, Konstantin <konstantin.ananyev@intel.com>; dev@dpdk.org
> Cc: stable@dpdk.org; Hall, Ryan E <ryan.e.hall@intel.com>; Gutkin, Alexander V <alexander.v.gutkin@intel.com>
> Subject: Re: [dpdk-dev] [PATCH v2 2/2] ip_frag: use key length for key comparision
>
> On 05-Nov-18 12:18 PM, Konstantin Ananyev wrote:
> > Right now reassembly code relies on src_dst[] being all zeroes to
> > determine is it free/occupied entry in the fragments table.
> > This is suboptimal and error prone - user can crash DPDK ip_reassembly
> > app by something like the following scapy script:
> > x=Ether(src=...,dst=...)/IP(dst='0.0.0.0',src='0.0.0.0',id=0)/('X'*1000)
> > frags=fragment(x, fragsize=500)
> > sendp(frags, iface=...)
> > To overcome that issue and reduce overhead of
> > 'key invalidate' and 'key is empty' operations -
> > add key_len into keys comparision procedure.
> >
> > Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
> > Cc: stable@dpdk.org
> >
> > Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
> > Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
> > Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
>
>
>
> > @@ -44,9 +44,17 @@ struct ip_frag {
> >
> > /** @internal <src addr, dst_addr, id> to uniquely identify fragmented datagram. */
> > struct ip_frag_key {
> > - uint64_t src_dst[4]; /**< src address, first 8 bytes used for IPv4 */
> > - uint32_t id; /**< dst address */
> > - uint32_t key_len; /**< src/dst key length */
> > + uint64_t src_dst[4];
> > + /**< src and dst address, only first 8 bytes used for IPv4 */
> > + RTE_STD_C11
> > + union {
> > + uint64_t id_key_len; /**< combined for easy fetch */
> > + __extension__
> > + struct {
> > + uint32_t id; /**< packet id */
> > + uint32_t key_len; /**< src/dst key length */
> > + };
> > + };
> > };
>
> Would that break ABI?
No, size and layout of the structure remains the same.
Konstantin
^ permalink raw reply [flat|nested] 13+ messages in thread