>> Signed-off-by: Raslan Darawsheh <rasland@nvidia.com>
>> ---
>>  app/test-pmd/csumonly.c | 8 +++++---
>>  1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/app/test-pmd/csumonly.c b/app/test-pmd/csumonly.c
>> index 5b906eaa53..302cc4cc66 100644
>> --- a/app/test-pmd/csumonly.c
>> +++ b/app/test-pmd/csumonly.c
>> @@ -468,6 +468,7 @@ get_ethertype_by_ptype(struct rte_ether_hdr *eth_hdr, uint32_t ptype)
>>  {
>>        struct rte_vlan_hdr *vlan_hdr;
>>        uint16_t ethertype;
>> +     uint32_t i = 0;
>> 
>>        switch (ptype) {
>>        case RTE_PTYPE_L3_IPV4:
>> @@ -486,10 +487,11 @@ get_ethertype_by_ptype(struct rte_ether_hdr *eth_hdr, uint32_t ptype)
>>                return _htons(RTE_ETHER_TYPE_IPV6);
>>        default:
>>                ethertype = eth_hdr->ether_type;
>> -             while (eth_hdr->ether_type == _htons(RTE_ETHER_TYPE_VLAN) ||
>> -                     eth_hdr->ether_type == _htons(RTE_ETHER_TYPE_QINQ)) {
>> +             while (ethertype == _htons(RTE_ETHER_TYPE_VLAN) ||
>> +                     ethertype == _htons(RTE_ETHER_TYPE_QINQ)) {
>>                        vlan_hdr = (struct rte_vlan_hdr *)
>> -                             ((char *)eth_hdr + sizeof(*eth_hdr));
v> +                             ((char *)eth_hdr + sizeof(*eth_hdr) +
v> +                             (i * sizeof(struct rte_vlan_hdr)));
>>                        ethertype = vlan_hdr->eth_proto;
>>                }
>>                return ethertype;

>A loop like this is prone to getting attacked with a malicious packet.
>You should cut it off after a few vlan headers.
>Also. what if packet is truncated, shouldn't be reading past end of data.
>And what if packet is fragmented, you need to use rte_pktmbuf_read()
I’m trying to fix the current loop not really changing the logic, and I’m not sure we handled these cases originally.

If needed, we can issue a separate patch for fixing these cases.

 

Kindest regards

Raslan Darawsheh