From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 466C7A00C2 for ; Wed, 8 Dec 2021 21:49:20 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 009574111B; Wed, 8 Dec 2021 21:49:20 +0100 (CET) Received: from esa.commscope.iphmx.com (esa.commscope.iphmx.com [68.232.148.24]) by mails.dpdk.org (Postfix) with ESMTP id 14580410F3 for ; Wed, 8 Dec 2021 21:49:17 +0100 (CET) X-IronPort-AV: E=Sophos;i="5.88,190,1635220800"; d="scan'208,217";a="178776612" Received: from mail-dm3nam07lp2049.outbound.protection.outlook.com (HELO NAM02-DM3-obe.outbound.protection.outlook.com) ([104.47.56.49]) by ob1.commscope.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 08 Dec 2021 15:49:16 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OBegL7QC17KPljucpt0QzxAKc77ImLdRiZs50CIS888nvTAcixmW2Pv9KVdpQdNDe7f0VRFWilOxMf+C5TQPP9SUmj6P3vrim33PLjS76aMTxdQ63JjLGw/nYprJJZOPBIsuxqrqEurEeOqFlKiJGC3fcateUNSASuc6CTUh0ro7dXaiGyZ6FzqKxSTjP+IkSUxDyyi9Z3EQNB9+fFwSLWrWdkYcTtNfGKokt11QOJn5AVvzkcPxHa7MJnyGiAfezWf5gyji7qs0uNzRxnD3Waw5FftKD01augZwQdCeEfANFqNr6Lj4TiKgyprzJHo3HqOd8i2vXH42cWxU+qEV+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tbEKS3y+wgOoLQWWbwYjh3zedWHceY/qn8UFRVeVmpI=; b=aljITSIaYoIt2PfIX0D3sQyj/K7+57TsK6rGtZKXpqjvgHclVhC/KrPjVMKWX3kw3Z6u4o3fYBOfwzlz7OVxAOk+jm5XS5OGWk00OFQOQKWaYo3KWcEKUZzYUBAQQ0WtVDAXlS4g0G8PLMrSX4clq11I9z4J2YFRv85RGDBcThhdp7wdado380xY8jp+VFcG+Or+5mzWDb6PMqA5xo63H8MYfGlN319DaBL/v/tSntxVU7O3SKkNHMwnBFeA/4oeEsybG1zisLq9Bazm+2V8gTMvl5DuDVXDGq85CNl6XJ93v1Y4BBDPf0V3icIL83iClvz4TUKWhilVw/DkBqZzMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=commscope.com; dmarc=pass action=none header.from=commscope.com; dkim=pass header.d=commscope.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=commscope.onmicrosoft.com; s=selector2-commscope-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tbEKS3y+wgOoLQWWbwYjh3zedWHceY/qn8UFRVeVmpI=; b=iO72p5gIrz7IfLCLd0zRGDKA6AVQ7CSbiK4roAVR3qCnrfsHYqMv6Z9Ehzv5KFW/EoPRqmtKhhHg3wOTGIVoAKgxiLQQWetnG2xCDsnefKKNxWhTp0Gx1+/OO4hXogAAtw4GwZXmLzccPZHxIh9hjbretmQNffmCcV4SYaSReo8= Received: from DM6PR14MB3597.namprd14.prod.outlook.com (2603:10b6:5:20c::16) by DM5PR1401MB2105.namprd14.prod.outlook.com (2603:10b6:4:5b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Wed, 8 Dec 2021 20:49:15 +0000 Received: from DM6PR14MB3597.namprd14.prod.outlook.com ([fe80::ac9b:4c2:22cc:2720]) by DM6PR14MB3597.namprd14.prod.outlook.com ([fe80::ac9b:4c2:22cc:2720%5]) with mapi id 15.20.4778.013; Wed, 8 Dec 2021 20:49:15 +0000 From: "Purnima, Kompella V" To: "users@dpdk.org" Subject: IP reassembly can cause memory corruption? Thread-Topic: IP reassembly can cause memory corruption? Thread-Index: AdfsdQyYkwz5Do/hSMaeLdpky3xN0g== Date: Wed, 8 Dec 2021 20:49:15 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=commscope.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 55a60462-7e0f-4226-d850-08d9ba8c32a5 x-ms-traffictypediagnostic: DM5PR1401MB2105:EE_ x-microsoft-antispam-prvs: x-ipw-groupmember: False x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: u6kUsYcwpzzdL6OaNQsZyzpx3h5rg/O1rW1y7XbMa7+bBVU89kPWcJQsf4LO6rQ6qfRuPXXEFdi1gisjeeef/CZflhrjuCR+BIPxURNnW33ILmzErbFoo5TctPvFgG0lthU5bpwnCKoJ7rlE4PvBCmnHreqnmpgTQJSYD0VA4uGvmdUXm3HhFgWZV1L4lSeegoSDennsV/K2w3WraRu8RFUe9MNsAV8WKf2EyIZKlswvm2m6/ekydWTQsyBJUmhmJCe9kVmMOohdLmKu2PncAPirqtsGJp27j/QxJ3pLtNZl1Akx6dkIyCj4hjC9glLWpx/m/WxJMYcxG90wsfgPHUtMvKGL8xNiyf/cz88H36OaZsalBrlx/6Wcpbaeiaq0eSySNDgvO16kXJSZBPelhcrDTZ3KOEUxH9JvUa+F9d6YGnPu2EW7Q2yfd/YrnyJDYWoCYbn5lsMm2tol9/hEvlVz5uCM/wTQe1uNwrokNnzC1ucvhOtytkOURq/GXrhtjAdQdbUIgJnf9JJ6pg7Tv0GGvLHZFJ+IV8SYxiM1CWKRssu0GwI8Hn3l2a06HxurmPPhZFnUQ7DPazl898kfTOTjU2OGcGRQY2O/2b9L4rcHM0+k3iaQOzA6XZtpQdgw2dZr1U+IZysKaMkEV3PaFihLgajWNQSeFsAFn+DQAZNUeLQ+Aym7AUA0OhAqitBASESM8dgFFI9Ptvwy+Qt09Q== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB3597.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(508600001)(71200400001)(55016003)(316002)(66476007)(2906002)(66946007)(5660300002)(64756008)(38100700002)(66556008)(76116006)(66446008)(122000001)(8676002)(8936002)(7696005)(33656002)(6916009)(26005)(9686003)(38070700005)(4744005)(6506007)(186003)(86362001)(52536014); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?skqWb3a0bZLSMj1pXjg7vC7ExBpI2cVNa+jpOG8FeOY/hcU+9blwkwypX2l+?= =?us-ascii?Q?gt00juTC56awG39LySRck5cSnnJ3znLJ0EVuEP5XA5EgYrnhgXb1iGl7bEN4?= =?us-ascii?Q?XKheA5UN26RkVyGwRpURu/ItsM7h2pVRZ66PqyBXX4Vw1liiCJcdM61NBqzS?= =?us-ascii?Q?hd/w71Q8+JnaN5UFfksiU1Ips/ckyuk7pL5cQElfMSU/Ui+SyBDiZwdtMhj5?= =?us-ascii?Q?WFev0SVPsQ+BxZX0AQR08psBnqOy1YNoLpzenWvycHWttdfygSzOMZoFVykG?= =?us-ascii?Q?Ee+WNxYFhXCiHj6GqLRw7LQPCazQOJuemYrAeswqw5mThSrU45Nb/6lxXjWE?= =?us-ascii?Q?cJRHySOaZAdojXoBKy2o8sUqXGUYPVNs2/chZ+C5oBumlI0ZsA9uE/7/N6bF?= =?us-ascii?Q?OhSsTiwT51w8pLkFKMjXy/lv+fhL8dOUV6Dx8MUMsz1bbfCmr5zgTprUgO+j?= =?us-ascii?Q?jfuqCB+q31w3pMcbNk60GX0ZGzONTqgbgpqep0Jtxk+B0aVFYURhspWsmE5K?= =?us-ascii?Q?KGI3n9rnJi/r8abGFxSLqG8r98FVskUCCkyQxpH5Ochnv1lUwTn7qtA87yjr?= =?us-ascii?Q?fM9g6eXRUPty29EP5L2+ljC7Zfc4aTfowxkNp740GJPYIl2EVnB2Qd6c0fZW?= =?us-ascii?Q?XJbyWjDbSjxNIZb4AYi20AtpdH/YTZ8gkH5aHERGy8b3aPZUHi9KajEmR7Xq?= =?us-ascii?Q?Y++k9FJ6YsLKg/cRfxIQJgcTsee+nDeg9s2fHcKHSBAYmklo14k+aHi9boa8?= =?us-ascii?Q?m8ibQOpK5CaDGrEIiRJSCqIvOcCMHYT3KkTgnhVc06rE4avqnGU5wfvMho3c?= =?us-ascii?Q?QojaiLrKBh4hvd/KZ+ddJ8qgQlWBlAa5PCaEWxQ/c8LSXTQmWU2APlzjLW9F?= =?us-ascii?Q?fG5vnLL+RqWi9Ea0iGxfP1iMgrfcl+SGeSfZmCdTnBXBwfFkW5VOXfQ71Ijt?= =?us-ascii?Q?oq6Y1eZ7DKVLmIzN7igw5E4t9GPySU5WIp5i79KPoslDtcMvKilLozSn5m3D?= =?us-ascii?Q?+C24nSQDrVDP7e/xIdOymS5ch/ztnkw9K5Sf5B58yQTq+tK6IXho76aorj4r?= =?us-ascii?Q?L3IKkrgagKa3PSlmERsvj63+fldnclItUE2qQOHHh3DOwmGhlEzJzeiZYKg2?= =?us-ascii?Q?kWvkdGJS3/acmLv/yzcHKUFxyF2xyut1RbR7PBjg6bNXvEwLnTKEeJIs1Jkn?= =?us-ascii?Q?RAgRjcGl3a6mBiAdZIgaPyVQo/RfmPVY7mrfd9YosVMXyodLWZzE8QAtNNXV?= =?us-ascii?Q?UwkItsc0JVTzT2f4zBKNSRM63/GMkaohjao45SvrGdh97g1QPA9RDE4XPM6U?= =?us-ascii?Q?K2vv2Ycqlor4SbBh9iLs+ZfabfikS8XKCfI1WCdgSlWU4dNB+H7wFlFrO+e+?= =?us-ascii?Q?USKdlRjW0Y98mxFt17W+FpVa8Rp3kQVCEsJpWpoz2FstQx0rS1IU6j+jue15?= =?us-ascii?Q?/wHaTvkCDGSQsfA6LUuLlSbbUH41ngrJXkZFRyan3eQ/CbcHi55RrczEeR4p?= =?us-ascii?Q?xLRu60YzBMihTgx7RSPdFgjbmB/VHMWJqdjrhz3W6hMnzYTm4eTSMiLSUG/I?= =?us-ascii?Q?g/L0cR1Un/7HuJydM2pqR0veqTk7mT8sSz4/31qEVfhRNL1RKhiLps9QYvfg?= =?us-ascii?Q?R7fb9rx8TAHkMrHw+oEh3YlPah0hZOsA1LEbfV6WKmgMwczTXgLX7e3NkJaa?= =?us-ascii?Q?7xFc5A=3D=3D?= Content-Type: multipart/alternative; boundary="_000_DM6PR14MB35974A0905D0E64FAC99E8219C6F9DM6PR14MB3597namp_" MIME-Version: 1.0 X-OriginatorOrg: commscope.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB3597.namprd14.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 55a60462-7e0f-4226-d850-08d9ba8c32a5 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2021 20:49:15.6378 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 31472f81-8fe4-49ec-8bc3-fa1c295640d7 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: a5Qz4dhgqzDIOkST2g+K+/56tpj0LZHDydfpYjRgdKSJbJbG/aJ5nDfSFWcQNk2x7eZnFOSk/QGML8xL+7GJ5+6f3QIoDpnkARtAYRO0g4w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1401MB2105 X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org --_000_DM6PR14MB35974A0905D0E64FAC99E8219C6F9DM6PR14MB3597namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable HI I am using DPDK 19.11 version. Following are my findings struct rte_ip_frag_death_row { uint32_t cnt; /**< number of mbufs currently on death row *= / struct rte_mbuf *row[IP_FRAG_DEATH_ROW_MBUF_LEN]; /**< mbufs to be freed */ }; #define IP_FRAG_MBUF2DR(dr, mb) ((dr)->row[(dr)->cnt++] =3D (mb)) When calling IP_FRAG_MBUF2DR, there is no check for cnt < IP_FRAG_DEATH_ROW= _MBUF_LEN. So whenever (cnt >=3D IP_FRAG_DEATH_ROW_MBUF_LEN) happens IP_FRAG_MBUF2DR w= ill corrupt memory due to array-bound overflow. Late arrival or non-arrival of all fragments of packets - any of these comm= on scenarios can cause the corruption!! Is this a known issue? Thanks Purnima --_000_DM6PR14MB35974A0905D0E64FAC99E8219C6F9DM6PR14MB3597namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

<= span style=3D"font-size:10.0pt;font-family:Consolas;color:#7F0055">HI<= /o:p>

<= span style=3D"font-size:10.0pt;font-family:Consolas;color:#7F0055">&nb= sp;

I am using DPDK 19.11 version. Following are my find= ings

<= span style=3D"font-size:10.0pt;font-family:Consolas;color:#7F0055">&nb= sp;

stru= ct rte_ip_frag_death_row {

 &nb= sp;     uint32_t cnt; = ;         = /**< number of mbufs currently on death row */

 &nb= sp;     struct = rte_mbuf *row[IP_FRAG_DEATH_= ROW_MBUF_LEN];

 &nb= sp;     /**< mbufs to be freed */

};=

 

#def= ine      IP_FRAG_MBUF2DR(dr, mb) &nbs= p; ((dr)->row[(dr)->cnt++] =3D (mb))

 

<= span style=3D"font-size:10.0pt;font-family:Consolas;color:#7F0055">&nb= sp;

<= span style=3D"font-size:10.0pt;font-family:Consolas;color:#7F0055">&nb= sp;

When calling IP_FRAG_MBUF2DR, there is no check for cnt < IP_FRAG_= DEATH_ROW_MBUF_LEN.

So whenever (cnt >=3D IP_FRAG_DEATH_ROW_MBUF_L= EN) happens IP_FRAG_MBUF2DR will corrupt memory due to array-bound overflow.

 

Late arrival or non-arrival of all fragments of pack= ets – any of these common scenarios can cause the corruption!!

 

Is this a known issue?

 

Thanks

Purnima

 

 

--_000_DM6PR14MB35974A0905D0E64FAC99E8219C6F9DM6PR14MB3597namp_--