From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <3chas3@gmail.com> Received: from mail-qt1-f193.google.com (mail-qt1-f193.google.com [209.85.160.193]) by dpdk.org (Postfix) with ESMTP id B19CA1BC87 for ; Fri, 19 Apr 2019 00:57:31 +0200 (CEST) Received: by mail-qt1-f193.google.com with SMTP id s15so3979744qtn.3 for ; Thu, 18 Apr 2019 15:57:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=; b=KN1uowiEm5l8JLOujcbrDVMr5iqIr0Tk1w9/0h+ZC1voN1J5c/xgD+MLoK2O8asd7Y ej2YrsEpUgNXTMcmRndeGVqa5y0aLsPE0ZN6fpXn2WcwhfgWHqMd0AqDKvHh8gfRkt58 c+15HI2Ky4X46dZ0yLGYuRsRmQ2zEbKM4VfV42Cyzg6KzM0/+yR1EUEBvlcnc3IvM8mu 0tEprTzwKIAnqPowqNrMnQZeqAUqX/Q9PPj4rxmrbj+Ed+V0CuL7UzIXSu+DanuE7dh9 tKQrc0i5lYML35rNXJ3j2Yy1LboSBVs7nD6xT0CWrKnkzyOGB/BhMgN3ObfeIcriice7 ue2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=; b=tK9er9LcinOeFkQnP5VpWcH5hh3pLGrRMt4lEbTqUUSPDF+an9HlXGIYIf3kBaOM31 ShSXAzS1Hg9vg1CRx3y8cGHs+2kKfHQNT8Rr7HrmkPVTyY4lo8s538UONxDYrcs8RmHR 6AdM6xISiy0Ia39KJBWEIS7T8C6uV9b+RB9MoQL1vxF/f5T5vtt1eQGSR8vsNnTos6aV 59EphMoM61vr7yk79TE3z3RsmxoY+BvPKiNyftOvEICLfioHU6yFFaZR3JbNbwxPYHxD CjQ30p3ZUOMqSzeO5JCioXmEYClj0vmbiR9N9/s+4LHavb9d2SZttHQDHSr5+4uNgZpH MhaQ== X-Gm-Message-State: APjAAAUXuZahNFIPiVXsGcciZu7HTBZa06CcGPI8qlIa2zv1trFW2frC hRYlSvs8+LKHgdQ3C9Or5491PbZ8 X-Google-Smtp-Source: APXvYqzF6HI+NeF1tV/0mCN4oBYHF1iYWnJ9ghd+Tc7T9gVzCq5jvF0KwWkii+7kJgIa+RkXfeT2+A== X-Received: by 2002:a0c:d266:: with SMTP id o35mr683003qvh.111.1555628250923; Thu, 18 Apr 2019 15:57:30 -0700 (PDT) Received: from [192.168.1.10] (pool-96-255-82-34.washdc.fios.verizon.net. [96.255.82.34]) by smtp.gmail.com with ESMTPSA id f47sm2031823qta.80.2019.04.18.15.57.30 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Apr 2019 15:57:30 -0700 (PDT) To: dev@dpdk.org References: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> <1555511807-18405-1-git-send-email-radu.nicolau@intel.com> <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com> From: Chas Williams <3chas3@gmail.com> Message-ID: Date: Thu, 18 Apr 2019 18:57:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v3] net/bonding: fix potential out of bounds read X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 22:57:32 -0000 On 4/18/19 2:41 PM, Ferruh Yigit wrote: > On 4/17/2019 3:36 PM, Radu Nicolau wrote: >> Add validation to pointer constructed from the IPv4 header length >> in order to prevent malformed packets from generating a potential >> out of bounds memory read. >> >> Fixes: 09150784a776 ("net/bonding: burst mode hash calculation") >> Cc: stable@dpdk.org >> >> Signed-off-by: Radu Nicolau > > Hi Chas, > > Do you have any objection on the patch? > Functionally looks correct to me, but additional checks in datapath perhaps can > be a concern, if not I am for getting the patch. I don't think the calculation is a huge concern. Acked-by: Chas Williams > >> --- >> v2: add fixes lines >> v3: fix buffer end calculation >> >> drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++-- >> 1 file changed, 7 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c >> index b0d191d..2b7f2b3 100644 >> --- a/drivers/net/bonding/rte_eth_bond_pmd.c >> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c >> @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, >> >> for (i = 0; i < nb_pkts; i++) { >> eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *); >> + size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_data_len(buf[i]); >> proto = eth_hdr->ether_type; >> vlan_offset = get_vlan_offset(eth_hdr, &proto); >> l3hash = 0; >> @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, >> tcp_hdr = (struct tcp_hdr *) >> ((char *)ipv4_hdr + >> ip_hdr_offset); >> - l4hash = HASH_L4_PORTS(tcp_hdr); >> + if ((size_t)tcp_hdr + sizeof(*tcp_hdr) >> + < pkt_end) >> + l4hash = HASH_L4_PORTS(tcp_hdr); >> } else if (ipv4_hdr->next_proto_id == >> IPPROTO_UDP) { >> udp_hdr = (struct udp_hdr *) >> ((char *)ipv4_hdr + >> ip_hdr_offset); >> - l4hash = HASH_L4_PORTS(udp_hdr); >> + if ((size_t)udp_hdr + sizeof(*udp_hdr) >> + < pkt_end) >> + l4hash = HASH_L4_PORTS(udp_hdr); >> } >> } >> } else if (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) { >> > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 1446CA00E6 for ; Fri, 19 Apr 2019 00:57:35 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 79CF31BC8C; Fri, 19 Apr 2019 00:57:34 +0200 (CEST) Received: from mail-qt1-f193.google.com (mail-qt1-f193.google.com [209.85.160.193]) by dpdk.org (Postfix) with ESMTP id B19CA1BC87 for ; Fri, 19 Apr 2019 00:57:31 +0200 (CEST) Received: by mail-qt1-f193.google.com with SMTP id s15so3979744qtn.3 for ; Thu, 18 Apr 2019 15:57:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=; b=KN1uowiEm5l8JLOujcbrDVMr5iqIr0Tk1w9/0h+ZC1voN1J5c/xgD+MLoK2O8asd7Y ej2YrsEpUgNXTMcmRndeGVqa5y0aLsPE0ZN6fpXn2WcwhfgWHqMd0AqDKvHh8gfRkt58 c+15HI2Ky4X46dZ0yLGYuRsRmQ2zEbKM4VfV42Cyzg6KzM0/+yR1EUEBvlcnc3IvM8mu 0tEprTzwKIAnqPowqNrMnQZeqAUqX/Q9PPj4rxmrbj+Ed+V0CuL7UzIXSu+DanuE7dh9 tKQrc0i5lYML35rNXJ3j2Yy1LboSBVs7nD6xT0CWrKnkzyOGB/BhMgN3ObfeIcriice7 ue2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=jXBD4CAAOW51IgHRsMpml9gzk0LqQ4CY6TzHA/3jR74=; b=tK9er9LcinOeFkQnP5VpWcH5hh3pLGrRMt4lEbTqUUSPDF+an9HlXGIYIf3kBaOM31 ShSXAzS1Hg9vg1CRx3y8cGHs+2kKfHQNT8Rr7HrmkPVTyY4lo8s538UONxDYrcs8RmHR 6AdM6xISiy0Ia39KJBWEIS7T8C6uV9b+RB9MoQL1vxF/f5T5vtt1eQGSR8vsNnTos6aV 59EphMoM61vr7yk79TE3z3RsmxoY+BvPKiNyftOvEICLfioHU6yFFaZR3JbNbwxPYHxD CjQ30p3ZUOMqSzeO5JCioXmEYClj0vmbiR9N9/s+4LHavb9d2SZttHQDHSr5+4uNgZpH MhaQ== X-Gm-Message-State: APjAAAUXuZahNFIPiVXsGcciZu7HTBZa06CcGPI8qlIa2zv1trFW2frC hRYlSvs8+LKHgdQ3C9Or5491PbZ8 X-Google-Smtp-Source: APXvYqzF6HI+NeF1tV/0mCN4oBYHF1iYWnJ9ghd+Tc7T9gVzCq5jvF0KwWkii+7kJgIa+RkXfeT2+A== X-Received: by 2002:a0c:d266:: with SMTP id o35mr683003qvh.111.1555628250923; Thu, 18 Apr 2019 15:57:30 -0700 (PDT) Received: from [192.168.1.10] (pool-96-255-82-34.washdc.fios.verizon.net. [96.255.82.34]) by smtp.gmail.com with ESMTPSA id f47sm2031823qta.80.2019.04.18.15.57.30 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Apr 2019 15:57:30 -0700 (PDT) To: dev@dpdk.org References: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> <1555511807-18405-1-git-send-email-radu.nicolau@intel.com> <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com> From: Chas Williams <3chas3@gmail.com> Message-ID: Date: Thu, 18 Apr 2019 18:57:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <6e63cbb0-3619-dee0-5cfe-9a19cb4b22de@intel.com> Content-Type: text/plain; charset="UTF-8"; format="flowed" Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v3] net/bonding: fix potential out of bounds read X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Message-ID: <20190418225729.VZ9V-PSJJSIIYjFaKaZbHq0INJNl0rkOLGBA7nZQ8fI@z> On 4/18/19 2:41 PM, Ferruh Yigit wrote: > On 4/17/2019 3:36 PM, Radu Nicolau wrote: >> Add validation to pointer constructed from the IPv4 header length >> in order to prevent malformed packets from generating a potential >> out of bounds memory read. >> >> Fixes: 09150784a776 ("net/bonding: burst mode hash calculation") >> Cc: stable@dpdk.org >> >> Signed-off-by: Radu Nicolau > > Hi Chas, > > Do you have any objection on the patch? > Functionally looks correct to me, but additional checks in datapath perhaps can > be a concern, if not I am for getting the patch. I don't think the calculation is a huge concern. Acked-by: Chas Williams > >> --- >> v2: add fixes lines >> v3: fix buffer end calculation >> >> drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++-- >> 1 file changed, 7 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c >> index b0d191d..2b7f2b3 100644 >> --- a/drivers/net/bonding/rte_eth_bond_pmd.c >> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c >> @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, >> >> for (i = 0; i < nb_pkts; i++) { >> eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *); >> + size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_data_len(buf[i]); >> proto = eth_hdr->ether_type; >> vlan_offset = get_vlan_offset(eth_hdr, &proto); >> l3hash = 0; >> @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, >> tcp_hdr = (struct tcp_hdr *) >> ((char *)ipv4_hdr + >> ip_hdr_offset); >> - l4hash = HASH_L4_PORTS(tcp_hdr); >> + if ((size_t)tcp_hdr + sizeof(*tcp_hdr) >> + < pkt_end) >> + l4hash = HASH_L4_PORTS(tcp_hdr); >> } else if (ipv4_hdr->next_proto_id == >> IPPROTO_UDP) { >> udp_hdr = (struct udp_hdr *) >> ((char *)ipv4_hdr + >> ip_hdr_offset); >> - l4hash = HASH_L4_PORTS(udp_hdr); >> + if ((size_t)udp_hdr + sizeof(*udp_hdr) >> + < pkt_end) >> + l4hash = HASH_L4_PORTS(udp_hdr); >> } >> } >> } else if (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) { >> >