From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 512AC1B3FB; Fri, 4 Jan 2019 02:57:24 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jan 2019 17:57:23 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,437,1539673200"; d="scan'208";a="288704562" Received: from dpdk15.sh.intel.com ([10.67.111.146]) by orsmga005.jf.intel.com with ESMTP; 03 Jan 2019 17:57:21 -0800 From: Jiayu Hu To: dev@dpdk.org Cc: tiwei.bie@intel.com, Jiayu Hu , stable@dpdk.org Date: Fri, 4 Jan 2019 09:57:16 +0800 Message-Id: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> X-Mailer: git-send-email 2.7.4 Subject: [dpdk-stable] [PATCH] gro: fix overflow of TCP Options length calculation X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2019 01:57:25 -0000 If we receive a packet with an invalid TCP header, whose TCP header length is less than 20 bytes (the minimal TCP header length), the calculated TCP Options length will overflow and result in incorrect reassembly behaviors. Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4") Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") Cc: stable@dpdk.org Signed-off-by: Jiayu Hu --- lib/librte_gro/gro_tcp4.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h index 6bb30cd..189cea3 100644 --- a/lib/librte_gro/gro_tcp4.h +++ b/lib/librte_gro/gro_tcp4.h @@ -266,7 +266,8 @@ check_seq_option(struct gro_tcp4_item *item, struct rte_mbuf *pkt_orig = item->firstseg; struct ipv4_hdr *iph_orig; struct tcp_hdr *tcph_orig; - uint16_t len, tcp_hl_orig; + uint16_t tcp_hl_orig; + int32_t len; iph_orig = (struct ipv4_hdr *)(rte_pktmbuf_mtod(pkt_orig, char *) + l2_offset + pkt_orig->l2_len); -- 2.7.4