From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <3chas3@gmail.com>
Received: from mail-qt1-f193.google.com (mail-qt1-f193.google.com
 [209.85.160.193]) by dpdk.org (Postfix) with ESMTP id B19CA1BC87
 for <dev@dpdk.org>; Fri, 19 Apr 2019 00:57:31 +0200 (CEST)
Received: by mail-qt1-f193.google.com with SMTP id s15so3979744qtn.3
 for <dev@dpdk.org>; Thu, 18 Apr 2019 15:57:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=;
 b=KN1uowiEm5l8JLOujcbrDVMr5iqIr0Tk1w9/0h+ZC1voN1J5c/xgD+MLoK2O8asd7Y
 ej2YrsEpUgNXTMcmRndeGVqa5y0aLsPE0ZN6fpXn2WcwhfgWHqMd0AqDKvHh8gfRkt58
 c+15HI2Ky4X46dZ0yLGYuRsRmQ2zEbKM4VfV42Cyzg6KzM0/+yR1EUEBvlcnc3IvM8mu
 0tEprTzwKIAnqPowqNrMnQZeqAUqX/Q9PPj4rxmrbj+Ed+V0CuL7UzIXSu+DanuE7dh9
 tKQrc0i5lYML35rNXJ3j2Yy1LboSBVs7nD6xT0CWrKnkzyOGB/BhMgN3ObfeIcriice7
 ue2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=;
 b=tK9er9LcinOeFkQnP5VpWcH5hh3pLGrRMt4lEbTqUUSPDF+an9HlXGIYIf3kBaOM31
 ShSXAzS1Hg9vg1CRx3y8cGHs+2kKfHQNT8Rr7HrmkPVTyY4lo8s538UONxDYrcs8RmHR
 6AdM6xISiy0Ia39KJBWEIS7T8C6uV9b+RB9MoQL1vxF/f5T5vtt1eQGSR8vsNnTos6aV
 59EphMoM61vr7yk79TE3z3RsmxoY+BvPKiNyftOvEICLfioHU6yFFaZR3JbNbwxPYHxD
 CjQ30p3ZUOMqSzeO5JCioXmEYClj0vmbiR9N9/s+4LHavb9d2SZttHQDHSr5+4uNgZpH
 MhaQ==
X-Gm-Message-State: APjAAAUXuZahNFIPiVXsGcciZu7HTBZa06CcGPI8qlIa2zv1trFW2frC
 hRYlSvs8+LKHgdQ3C9Or5491PbZ8
X-Google-Smtp-Source: APXvYqzF6HI+NeF1tV/0mCN4oBYHF1iYWnJ9ghd+Tc7T9gVzCq5jvF0KwWkii+7kJgIa+RkXfeT2+A==
X-Received: by 2002:a0c:d266:: with SMTP id o35mr683003qvh.111.1555628250923; 
 Thu, 18 Apr 2019 15:57:30 -0700 (PDT)
Received: from [192.168.1.10] (pool-96-255-82-34.washdc.fios.verizon.net.
 [96.255.82.34])
 by smtp.gmail.com with ESMTPSA id f47sm2031823qta.80.2019.04.18.15.57.30
 for <dev@dpdk.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 18 Apr 2019 15:57:30 -0700 (PDT)
To: dev@dpdk.org
References: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com>
 <1555511807-18405-1-git-send-email-radu.nicolau@intel.com>
 <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com>
From: Chas Williams <3chas3@gmail.com>
Message-ID: <cd164cff-35df-d58c-cb5b-73d50c3c9fe8@gmail.com>
Date: Thu, 18 Apr 2019 18:57:29 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [dpdk-dev] [PATCH v3] net/bonding: fix potential out of bounds
 read
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 22:57:32 -0000



On 4/18/19 2:41 PM, Ferruh Yigit wrote:
> On 4/17/2019 3:36 PM, Radu Nicolau wrote:
>> Add validation to pointer constructed from the IPv4 header length
>> in order to prevent malformed packets from generating a potential
>> out of bounds memory read.
>>
>> Fixes: 09150784a776 ("net/bonding: burst mode hash calculation")
>> Cc: stable@dpdk.org
>>
>> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> 
> Hi Chas,
> 
> Do you have any objection on the patch?
> Functionally looks correct to me, but additional checks in datapath perhaps can
> be a concern, if not I am for getting the patch.

I don't think the calculation is a huge concern.

Acked-by: Chas Williams <chas3@att.com>

> 
>> ---
>> v2: add fixes lines
>> v3: fix buffer end calculation
>>
>>   drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++--
>>   1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
>> index b0d191d..2b7f2b3 100644
>> --- a/drivers/net/bonding/rte_eth_bond_pmd.c
>> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c
>> @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts,
>>   
>>   	for (i = 0; i < nb_pkts; i++) {
>>   		eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *);
>> +		size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_data_len(buf[i]);
>>   		proto = eth_hdr->ether_type;
>>   		vlan_offset = get_vlan_offset(eth_hdr, &proto);
>>   		l3hash = 0;
>> @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts,
>>   					tcp_hdr = (struct tcp_hdr *)
>>   						((char *)ipv4_hdr +
>>   							ip_hdr_offset);
>> -					l4hash = HASH_L4_PORTS(tcp_hdr);
>> +					if ((size_t)tcp_hdr + sizeof(*tcp_hdr)
>> +							< pkt_end)
>> +						l4hash = HASH_L4_PORTS(tcp_hdr);
>>   				} else if (ipv4_hdr->next_proto_id ==
>>   								IPPROTO_UDP) {
>>   					udp_hdr = (struct udp_hdr *)
>>   						((char *)ipv4_hdr +
>>   							ip_hdr_offset);
>> -					l4hash = HASH_L4_PORTS(udp_hdr);
>> +					if ((size_t)udp_hdr + sizeof(*udp_hdr)
>> +							< pkt_end)
>> +						l4hash = HASH_L4_PORTS(udp_hdr);
>>   				}
>>   			}
>>   		} else if  (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) {
>>
> 

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by dpdk.space (Postfix) with ESMTP id 1446CA00E6
	for <public@inbox.dpdk.org>; Fri, 19 Apr 2019 00:57:35 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 79CF31BC8C;
	Fri, 19 Apr 2019 00:57:34 +0200 (CEST)
Received: from mail-qt1-f193.google.com (mail-qt1-f193.google.com
 [209.85.160.193]) by dpdk.org (Postfix) with ESMTP id B19CA1BC87
 for <dev@dpdk.org>; Fri, 19 Apr 2019 00:57:31 +0200 (CEST)
Received: by mail-qt1-f193.google.com with SMTP id s15so3979744qtn.3
 for <dev@dpdk.org>; Thu, 18 Apr 2019 15:57:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-language:content-transfer-encoding;
 bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=;
 b=KN1uowiEm5l8JLOujcbrDVMr5iqIr0Tk1w9/0h+ZC1voN1J5c/xgD+MLoK2O8asd7Y
 ej2YrsEpUgNXTMcmRndeGVqa5y0aLsPE0ZN6fpXn2WcwhfgWHqMd0AqDKvHh8gfRkt58
 c+15HI2Ky4X46dZ0yLGYuRsRmQ2zEbKM4VfV42Cyzg6KzM0/+yR1EUEBvlcnc3IvM8mu
 0tEprTzwKIAnqPowqNrMnQZeqAUqX/Q9PPj4rxmrbj+Ed+V0CuL7UzIXSu+DanuE7dh9
 tKQrc0i5lYML35rNXJ3j2Yy1LboSBVs7nD6xT0CWrKnkzyOGB/BhMgN3ObfeIcriice7
 ue2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=;
 b=tK9er9LcinOeFkQnP5VpWcH5hh3pLGrRMt4lEbTqUUSPDF+an9HlXGIYIf3kBaOM31
 ShSXAzS1Hg9vg1CRx3y8cGHs+2kKfHQNT8Rr7HrmkPVTyY4lo8s538UONxDYrcs8RmHR
 6AdM6xISiy0Ia39KJBWEIS7T8C6uV9b+RB9MoQL1vxF/f5T5vtt1eQGSR8vsNnTos6aV
 59EphMoM61vr7yk79TE3z3RsmxoY+BvPKiNyftOvEICLfioHU6yFFaZR3JbNbwxPYHxD
 CjQ30p3ZUOMqSzeO5JCioXmEYClj0vmbiR9N9/s+4LHavb9d2SZttHQDHSr5+4uNgZpH
 MhaQ==
X-Gm-Message-State: APjAAAUXuZahNFIPiVXsGcciZu7HTBZa06CcGPI8qlIa2zv1trFW2frC
 hRYlSvs8+LKHgdQ3C9Or5491PbZ8
X-Google-Smtp-Source: APXvYqzF6HI+NeF1tV/0mCN4oBYHF1iYWnJ9ghd+Tc7T9gVzCq5jvF0KwWkii+7kJgIa+RkXfeT2+A==
X-Received: by 2002:a0c:d266:: with SMTP id o35mr683003qvh.111.1555628250923; 
 Thu, 18 Apr 2019 15:57:30 -0700 (PDT)
Received: from [192.168.1.10] (pool-96-255-82-34.washdc.fios.verizon.net.
 [96.255.82.34])
 by smtp.gmail.com with ESMTPSA id f47sm2031823qta.80.2019.04.18.15.57.30
 for <dev@dpdk.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 18 Apr 2019 15:57:30 -0700 (PDT)
To: dev@dpdk.org
References: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com>
 <1555511807-18405-1-git-send-email-radu.nicolau@intel.com>
 <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com>
From: Chas Williams <3chas3@gmail.com>
Message-ID: <cd164cff-35df-d58c-cb5b-73d50c3c9fe8@gmail.com>
Date: Thu, 18 Apr 2019 18:57:29 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [dpdk-dev] [PATCH v3] net/bonding: fix potential out of bounds
 read
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>
Message-ID: <20190418225729.VZ9V-PSJJSIIYjFaKaZbHq0INJNl0rkOLGBA7nZQ8fI@z>



On 4/18/19 2:41 PM, Ferruh Yigit wrote:
> On 4/17/2019 3:36 PM, Radu Nicolau wrote:
>> Add validation to pointer constructed from the IPv4 header length
>> in order to prevent malformed packets from generating a potential
>> out of bounds memory read.
>>
>> Fixes: 09150784a776 ("net/bonding: burst mode hash calculation")
>> Cc: stable@dpdk.org
>>
>> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> 
> Hi Chas,
> 
> Do you have any objection on the patch?
> Functionally looks correct to me, but additional checks in datapath perhaps can
> be a concern, if not I am for getting the patch.

I don't think the calculation is a huge concern.

Acked-by: Chas Williams <chas3@att.com>

> 
>> ---
>> v2: add fixes lines
>> v3: fix buffer end calculation
>>
>>   drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++--
>>   1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
>> index b0d191d..2b7f2b3 100644
>> --- a/drivers/net/bonding/rte_eth_bond_pmd.c
>> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c
>> @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts,
>>   
>>   	for (i = 0; i < nb_pkts; i++) {
>>   		eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *);
>> +		size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_data_len(buf[i]);
>>   		proto = eth_hdr->ether_type;
>>   		vlan_offset = get_vlan_offset(eth_hdr, &proto);
>>   		l3hash = 0;
>> @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts,
>>   					tcp_hdr = (struct tcp_hdr *)
>>   						((char *)ipv4_hdr +
>>   							ip_hdr_offset);
>> -					l4hash = HASH_L4_PORTS(tcp_hdr);
>> +					if ((size_t)tcp_hdr + sizeof(*tcp_hdr)
>> +							< pkt_end)
>> +						l4hash = HASH_L4_PORTS(tcp_hdr);
>>   				} else if (ipv4_hdr->next_proto_id ==
>>   								IPPROTO_UDP) {
>>   					udp_hdr = (struct udp_hdr *)
>>   						((char *)ipv4_hdr +
>>   							ip_hdr_offset);
>> -					l4hash = HASH_L4_PORTS(udp_hdr);
>> +					if ((size_t)udp_hdr + sizeof(*udp_hdr)
>> +							< pkt_end)
>> +						l4hash = HASH_L4_PORTS(udp_hdr);
>>   				}
>>   			}
>>   		} else if  (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) {
>>
>