From: Bruce Richardson <bruce.richardson@intel.com>
To: Olivier Matz <olivier.matz@6wind.com>,
Keith Wiles <keith.wiles@intel.com>
Cc: dev@dpdk.org, Bruce Richardson <bruce.richardson@intel.com>,
stable@dpdk.org
Subject: [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets
Date: Mon, 17 Dec 2018 15:50:04 +0000 [thread overview]
Message-ID: <20181217155005.13457-2-bruce.richardson@intel.com> (raw)
In-Reply-To: <20181217155005.13457-1-bruce.richardson@intel.com>
If we receive a packet with an invalid IP header, where the total packet
length is reported as less than the IP header length, we would end up
getting an underflow in the length subtraction. This could cause us to
checksum e.g. 4GB of data in the case where the result of the subtraction
was -1. We fix this by having the function return 0 - an invalid sum - when
the length is less than the header length.
CC: stable@dpdk.org
Fixes: af75078fece3 ("first public release")
Fixes: 6006818cfb26 ("net: new checksum functions")
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
lib/librte_net/rte_ip.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
index f2a8904a2..f9b909090 100644
--- a/lib/librte_net/rte_ip.h
+++ b/lib/librte_net/rte_ip.h
@@ -310,16 +310,20 @@ rte_ipv4_phdr_cksum(const struct ipv4_hdr *ipv4_hdr, uint64_t ol_flags)
* @param l4_hdr
* The pointer to the beginning of the L4 header.
* @return
- * The complemented checksum to set in the IP packet.
+ * The complemented checksum to set in the IP packet
+ * or 0 on error
*/
static inline uint16_t
rte_ipv4_udptcp_cksum(const struct ipv4_hdr *ipv4_hdr, const void *l4_hdr)
{
uint32_t cksum;
- uint32_t l4_len;
+ uint32_t l3_len, l4_len;
+
+ l3_len = rte_be_to_cpu_16(ipv4_hdr->total_length);
+ if (l3_len < sizeof(struct ipv4_hdr))
+ return 0;
- l4_len = (uint32_t)(rte_be_to_cpu_16(ipv4_hdr->total_length) -
- sizeof(struct ipv4_hdr));
+ l4_len = l3_len - sizeof(struct ipv4_hdr);
cksum = rte_raw_cksum(l4_hdr, l4_len);
cksum += rte_ipv4_phdr_cksum(ipv4_hdr, 0);
--
2.19.2
next prev parent reply other threads:[~2018-12-17 15:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 15:50 [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Bruce Richardson
2018-12-17 15:50 ` Bruce Richardson [this message]
2018-12-18 13:15 ` [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Hemant Agrawal
2018-12-18 13:18 ` Hemant Agrawal
2018-12-17 15:50 ` [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson
2018-12-20 19:08 ` Ferruh Yigit
2018-12-20 19:33 ` Wiles, Keith
2018-12-18 12:50 ` [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Hemant Agrawal
2018-12-18 13:12 ` Richardson, Bruce
2018-12-20 19:09 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181217155005.13457-2-bruce.richardson@intel.com \
--to=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=keith.wiles@intel.com \
--cc=olivier.matz@6wind.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).