From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id CE9281B3A7; Mon, 7 Jan 2019 15:29:59 +0100 (CET) X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Jan 2019 06:29:58 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,451,1539673200"; d="scan'208";a="136033162" Received: from bricha3-mobl.ger.corp.intel.com ([10.237.221.54]) by fmsmga001.fm.intel.com with SMTP; 07 Jan 2019 06:29:56 -0800 Received: by (sSMTP sendmail emulation); Mon, 07 Jan 2019 14:29:56 +0000 Date: Mon, 7 Jan 2019 14:29:55 +0000 From: Bruce Richardson To: Jiayu Hu Cc: dev@dpdk.org, tiwei.bie@intel.com, stable@dpdk.org Message-ID: <20190107142955.GC14912@bricha3-MOBL.ger.corp.intel.com> References: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> Organization: Intel Research and Development Ireland Ltd. User-Agent: Mutt/1.10.1 (2018-07-13) Subject: Re: [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length calculation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2019 14:30:00 -0000 On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote: > If we receive a packet with an invalid TCP header, whose > TCP header length is less than 20 bytes (the minimal TCP > header length), the calculated TCP Options length will > overflow and result in incorrect reassembly behaviors. Please explain how changing the "len" type fixes this behaviour. > > Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4") > Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") > Cc: stable@dpdk.org > > Signed-off-by: Jiayu Hu > --- > lib/librte_gro/gro_tcp4.h | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h > index 6bb30cd..189cea3 100644 > --- a/lib/librte_gro/gro_tcp4.h > +++ b/lib/librte_gro/gro_tcp4.h > @@ -266,7 +266,8 @@ check_seq_option(struct gro_tcp4_item *item, > struct rte_mbuf *pkt_orig = item->firstseg; > struct ipv4_hdr *iph_orig; > struct tcp_hdr *tcph_orig; > - uint16_t len, tcp_hl_orig; > + uint16_t tcp_hl_orig; > + int32_t len; > > iph_orig = (struct ipv4_hdr *)(rte_pktmbuf_mtod(pkt_orig, char *) + > l2_offset + pkt_orig->l2_len); > -- > 2.7.4 >