From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by dpdk.org (Postfix) with ESMTP id 5B20D1B43C for ; Tue, 8 Jan 2019 07:32:02 +0100 (CET) Received: by mail-pg1-f196.google.com with SMTP id z11so1284443pgu.0 for ; Mon, 07 Jan 2019 22:32:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=XFRK0cUnSC5vHi0g7Wza3dnHEevOrgF29AMYJ45OAIE=; b=lixf/qb10XWZpLyiAxkazNdP2fVIX5jK0z37ouX3t0SYYSP+PYqYLvB9i6JJS2nxkS RqYhiGbQlxepoRiov2vwWMNntiASnWz3hVl9XE5Qe3ABWrQFiCq6Lw7EULdc5aNImBly XscZbG0dLWCAJcsEjfhJ4jqcnhHi+BSR7UJ3lM01TmkY/ZVkV5FgW7wiyrdvXoGO2yhf zUHscIlTyOi8okBrEzVpSPdsiYjL6tYKeBhXCQJD3BsqLOSoFbuSuAaRTLxGtf2Xh4UJ /kFKSeAXaPUOti4ga9HUiLXA5vrZ9PZ5oXSMDdZa2oRuwI5tSZhXIjIRjXxMo6p6ncJi 2jyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XFRK0cUnSC5vHi0g7Wza3dnHEevOrgF29AMYJ45OAIE=; b=FOWSOqOqwe/IUrABCw68s5wv+FQn7Hx8fmygafq5LJJ51UneGH5een8xRFoJc9WXWD KUOtmp3UzwOf0uwdOBMqqEcSreTpiy7+7q9VXn1A6mMWSyGvkGrAGZc/W7bMcDXMwKd4 2//GM/fX8sC17ZtdpbCxsm9k2Of/f4dRWIQ0Kjjzv4J3DiZVB4YPpHlGsGaiiZ3qH6tY fv/Cr53vPgXVIITB19jg2cqqHMZMXHLozD/93zzi7p6dtEnZoBLScR+Pd1N9L1vZu9HJ veW3lq2edNXh8fxFRWLUSEVx1lXLiRxqgjK5ENGorVrq3+oaHjKXrl7lyJLyWGorLPzZ dSAg== X-Gm-Message-State: AJcUukdAuKzG7HlqJod6VabBxBhEMBnFqGmhqHZg57StOQgkEglq2aDm A0z1kkCl6S44BBsps8tmyuJRSA== X-Google-Smtp-Source: ALg8bN5FRfOCpESv17AOlqpvdm+Belesplw2sSF5tBpUV1m9tELqQMTzbxWZnUkk1mNDQNVG/SRAEw== X-Received: by 2002:a63:fb15:: with SMTP id o21mr446364pgh.211.1546929121440; Mon, 07 Jan 2019 22:32:01 -0800 (PST) Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id b4sm80211935pgq.65.2019.01.07.22.32.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 07 Jan 2019 22:32:01 -0800 (PST) Date: Mon, 7 Jan 2019 22:31:51 -0800 From: Stephen Hemminger To: Jiayu Hu Cc: dev@dpdk.org, tiwei.bie@intel.com, bruce.richardson@intel.com, stable@dpdk.org Message-ID: <20190107223151.18b185b7@hermes.lan> In-Reply-To: <1546927725-68831-1-git-send-email-jiayu.hu@intel.com> References: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> <1546927725-68831-1-git-send-email-jiayu.hu@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH] gro: add missing invalid packet checks X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2019 06:32:02 -0000 On Tue, 8 Jan 2019 14:08:45 +0800 Jiayu Hu wrote: > + /* > + * Don't process the packet whose Ethernet, IPv4 and TCP header > + * lengths are invalid. In addition, if the IPv4 header contains > + * Options, the packet shouldn't be processed. > + */ > + if (unlikely(ILLEGAL_ETHER_HDRLEN(pkt->l2_len) || > + ILLEGAL_IPV4_HDRLEN(pkt->l3_len) || > + ILLEGAL_TCP_HDRLEN(pkt->l4_len))) > + return -1; I like it when code is as picky as possible when doing optimizations because it reduces possible security riskg. To me this looks more confusing and not as careful as doing it like: if (unlikely(pkt->l2_len != ETHER_HDR_LEN)) return -1; eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *); ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + ETHER_HDR_LEN); if (pkt->l3_len != (ipv4->version_ihl & IPV4_HDR_IHL_MASK) << 4) return -1; if (pkt->l4_len < sizeof(struct tcp_hdr)) return -1; You should also check for TCP options as well. And IPv6 has same issues.