From: Bruce Richardson <bruce.richardson@intel.com>
To: Olivier Matz <olivier.matz@6wind.com>,
Keith Wiles <keith.wiles@intel.com>
Cc: dev@dpdk.org, Bruce Richardson <bruce.richardson@intel.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Shreyansh Jain <shreyansh.jain@nxp.com>
Subject: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum
Date: Mon, 17 Dec 2018 15:50:03 +0000 [thread overview]
Message-ID: <20181217155005.13457-1-bruce.richardson@intel.com> (raw)
The functions for checksumming the packet payload don't perform bounds
checks, and are used by the TAP driver which does not do any bounds checks
on the incoming packet either. This means a packet received with an
incorrect IP header can read beyond the end of the mbuf.
In the worst case, where the length is specified as being smaller than the
IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that approx
4GB of memory will be read.
To fix this, we can introduce a sanity check into the ipv4 function to
ensure that underflow does not occur. Since the checksum function does not
take the mbuf length as a parameter, we cannot check for overflow there,
so we instead perform the checks in the TAP driver directly.
Ideally, in a future release, all checksum functions should be modified to
take a max buffer length parameter to fix this issue globally.
NOTE: It appears that the dpaa driver also uses these functions, but from
what I can see there, they are only used on TX, which means that there
should be less need for parameter length checking, as the data does not
come from an untrusted source. Perhaps maintainers, Hemant and Shreyansh,
can confirm?
CC: Hemant Agrawal <hemant.agrawal@nxp.com>
CC: Shreyansh Jain <shreyansh.jain@nxp.com>
Bruce Richardson (2):
net: fix underflow for checksum of invalid IPv4 packets
net/tap: add buffer overflow checks before checksum
drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++
lib/librte_net/rte_ip.h | 12 ++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)
--
2.19.2
next reply other threads:[~2018-12-17 15:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 15:50 Bruce Richardson [this message]
2018-12-17 15:50 ` [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson
2018-12-18 13:15 ` Hemant Agrawal
2018-12-18 13:18 ` Hemant Agrawal
2018-12-17 15:50 ` [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson
2018-12-20 19:08 ` Ferruh Yigit
2018-12-20 19:33 ` Wiles, Keith
2018-12-18 12:50 ` [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Hemant Agrawal
2018-12-18 13:12 ` Richardson, Bruce
2018-12-20 19:09 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181217155005.13457-1-bruce.richardson@intel.com \
--to=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=keith.wiles@intel.com \
--cc=olivier.matz@6wind.com \
--cc=shreyansh.jain@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).