From: "Hu, Jiayu" <jiayu.hu@intel.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
"Wang, Yinan" <yinan.wang@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>
Cc: "thomas@monjalon.net" <thomas@monjalon.net>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v2] gro: add missing invalid packet checks
Date: Tue, 15 Jan 2019 12:18:03 +0000 [thread overview]
Message-ID: <ED946F0BEFE0A141B63BABBD629A2A9B3CF43C71@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <2601191342CEEE43887BDE71AB977258010D904112@irsmsx105.ger.corp.intel.com>
> -----Original Message-----
> From: Ananyev, Konstantin
> Sent: Tuesday, January 15, 2019 6:12 PM
> To: Wang, Yinan <yinan.wang@intel.com>; Hu, Jiayu <jiayu.hu@intel.com>;
> dev@dpdk.org
> Cc: thomas@monjalon.net; Hu, Jiayu <jiayu.hu@intel.com>;
> stable@dpdk.org
> Subject: RE: [dpdk-dev] [PATCH v2] gro: add missing invalid packet checks
>
> Hi,
>
> > -----Original Message-----
> > From: Wang, Yinan
> > Sent: Tuesday, January 15, 2019 5:05 AM
> > To: Hu, Jiayu <jiayu.hu@intel.com>; dev@dpdk.org
> > Cc: Ananyev, Konstantin <konstantin.ananyev@intel.com>;
> thomas@monjalon.net; Hu, Jiayu <jiayu.hu@intel.com>; stable@dpdk.org
> > Subject: RE: [dpdk-dev] [PATCH v2] gro: add missing invalid packet checks
> >
> > Tested-by: Yinan Wang <yinan.wang@intel.com>
> >
> > Best Wishes,
> > Yinan
> >
> >
> > -----Original Message-----
> > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Jiayu Hu
> > Sent: 2019年1月10日 23:06
> > To: dev@dpdk.org
> > Cc: Ananyev, Konstantin <konstantin.ananyev@intel.com>;
> thomas@monjalon.net; Hu, Jiayu <jiayu.hu@intel.com>; stable@dpdk.org
> > Subject: [dpdk-dev] [PATCH v2] gro: add missing invalid packet checks
> >
> > Currently, GRO library doesn't check if input packets have invalid headers.
> The packets with invalid headers will also be processed by GRO.
> >
> > However, GRO shouldn't process invalid packets. This patch adds missing
> invalid packet checks.
> >
> > Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
> > Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
> >
> > ---
> > changes in v2:
> > - fix VxLAN header length check bug for VxLAN GRO;
> > - fix ethernet header length check bug;
> > - use sizeof() and macro to present valid header length;
> > - add VLAN related comments since GRO cannot process VLAN tagged
> packets.
> >
> > lib/librte_gro/gro_tcp4.c | 12 ++++++++++++
> > lib/librte_gro/gro_tcp4.h | 10 ++++++++++
> > lib/librte_gro/gro_vxlan_tcp4.c | 15 +++++++++++++++
> > 3 files changed, 37 insertions(+)
> >
> > diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c index
> 2fe9aab..48076e0 100644
> > --- a/lib/librte_gro/gro_tcp4.c
> > +++ b/lib/librte_gro/gro_tcp4.c
> > @@ -208,6 +208,18 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> > int cmp;
> > uint8_t find;
> >
> > + /*
> > + * Don't process the packet whose Ethernet, IPv4 and TCP header
> > + * lengths are invalid.
> > + *
> > + * In addition, GRO doesn't process the packet that is VLAN
> > + * tagged or whose the IPv4 header contains Options.
> > + */
> > + if (unlikely(ILLEGAL_ETHER_HDRLEN(pkt->l2_len) ||
> > + ILLEGAL_IPV4_HDRLEN(pkt->l3_len) ||
> > + ILLEGAL_TCP_HDRLEN(pkt->l4_len)))
> > + return -1;
> > +
> > eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
> > ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + pkt->l2_len);
> > tcp_hdr = (struct tcp_hdr *)((char *)ipv4_hdr + pkt->l3_len); diff --git
> a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h index
> > 6bb30cd..65bcae8 100644
> > --- a/lib/librte_gro/gro_tcp4.h
> > +++ b/lib/librte_gro/gro_tcp4.h
> > @@ -17,6 +17,16 @@
> > */
> > #define MAX_IPV4_PKT_LENGTH UINT16_MAX
> >
> > +/* The maximum TCP header length */
> > +#define TCP_MAX_HLEN 60
> > +
> > +#define ILLEGAL_ETHER_HDRLEN(len) ((len) != ETHER_HDR_LEN) #define
> > +ILLEGAL_ETHER_VXLAN_HDRLEN(len) \
> > + ((len) != (ETHER_VXLAN_HLEN + ETHER_HDR_LEN)) #define
> > +ILLEGAL_IPV4_HDRLEN(len) ((len) != sizeof(struct ipv4_hdr)) #define
> > +ILLEGAL_TCP_HDRLEN(len) \
> > + (((len) < sizeof(struct tcp_hdr)) || ((len) > TCP_MAX_HLEN))
> > +
> > /* Header fields representing a TCP/IPv4 flow */ struct tcp4_flow_key {
> > struct ether_addr eth_saddr;
> > diff --git a/lib/librte_gro/gro_vxlan_tcp4.c
> b/lib/librte_gro/gro_vxlan_tcp4.c index 955ae4b..72d63bc 100644
> > --- a/lib/librte_gro/gro_vxlan_tcp4.c
> > +++ b/lib/librte_gro/gro_vxlan_tcp4.c
> > @@ -306,6 +306,21 @@ gro_vxlan_tcp4_reassemble(struct rte_mbuf
> *pkt,
> > uint16_t hdr_len;
> > uint8_t find;
> >
> > + /*
> > + * Don't process the packet whose outer Ethernet, outer IPv4,
> > + * VxLAN header, inner Ethernet, inner IPv4 and inner TCP
> > + * header lengths are invalid.
> > + *
> > + * In addition, GRO doesn't process the packet that is VLAN
> > + * tagged or whose IPv4 header contains Options.
> > + */
> > + if (unlikely(ILLEGAL_ETHER_HDRLEN(pkt->outer_l2_len) ||
> > + ILLEGAL_IPV4_HDRLEN(pkt->outer_l3_len)
> ||
> > + ILLEGAL_ETHER_VXLAN_HDRLEN(pkt-
> >l2_len) ||
> > + ILLEGAL_IPV4_HDRLEN(pkt->l3_len) ||
> > + ILLEGAL_TCP_HDRLEN(pkt->l4_len)))
> > + return -1;
> > +
>
> Could you remind me why do we need that strict for l2 and l3 lenghts
> (no ip options, no vlan, etc)?
Reducing security risks is the motivation for those strict checks.
If input packets have invalid header lengths, GRO cannot detect and will
still process them. In fact, segment fault may happen in check_seq_option(),
if the input packet has TCP header length less than 20 bytes. It gives an
opportunity to malicious attacks to make DPDK applications crash.
Originally, I sent a patch to solve the segment fault issue
(http://patches.dpdk.org/patch/49431/). But I think we need to a more
thorough solution to handle the invalid packets.
In the implementation of GRO, it doesn't consider VLAN tagged packets and
packets with IPv4 Options. For example, we don't compare VLAN ID when
merge packets. So I set the acceptable values of L2 and L3 to 14 and 20.
> BTW, if we don't allow any other lenghts for l2/l3 except 14/20,
> do we really need them to be setuped by user?
The only reason is to reduce security risks (e.g. network attack).
We use MBUF->packet_type to determine the input packet is
performed GRO or not. If users input a packet with setting
packet_type to (RTE_PTYPE_L4_TCP | RTE_PTYPE_L3_IPV4)
but maliciously setting l2_len/l3_len to invalid values, GRO has
no way to know it.
IMO, thoroughly checking if input packets are malicious is not
GRO's job. But if the overhead is low and adding some basic checks
can avoid obvious errors, I think we can add those checks.
Does it make sense?
> Konstantin
>
> > outer_eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
> > outer_ipv4_hdr = (struct ipv4_hdr *)((char *)outer_eth_hdr +
> > pkt->outer_l2_len);
> > --
> > 2.7.4
next prev parent reply other threads:[~2019-01-15 12:18 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 1:57 [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length calculation Jiayu Hu
2019-01-07 14:29 ` Bruce Richardson
2019-01-08 1:22 ` Hu, Jiayu
2019-01-08 6:19 ` Stephen Hemminger
2019-01-08 6:08 ` [dpdk-dev] [PATCH] gro: add missing invalid packet checks Jiayu Hu
2019-01-08 6:31 ` Stephen Hemminger
2019-01-08 8:14 ` Hu, Jiayu
2019-01-08 10:39 ` Ananyev, Konstantin
2019-01-08 11:33 ` Morten Brørup
2019-01-08 13:40 ` Hu, Jiayu
2019-01-08 13:43 ` Ananyev, Konstantin
2019-01-08 14:50 ` Morten Brørup
2019-01-09 3:32 ` Hu, Jiayu
2019-01-10 15:06 ` [dpdk-dev] [PATCH v2] " Jiayu Hu
2019-01-14 22:26 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2019-01-15 1:00 ` [dpdk-dev] " Stephen Hemminger
2019-01-15 2:48 ` Hu, Jiayu
2019-01-15 5:05 ` Wang, Yinan
2019-01-15 10:11 ` Ananyev, Konstantin
2019-01-15 12:18 ` Hu, Jiayu [this message]
2019-01-15 13:38 ` Hu, Jiayu
2019-01-16 0:45 ` [dpdk-dev] [PATCH v3] gro: add missing invalid TCP header length check Jiayu Hu
2019-01-16 9:49 ` Ananyev, Konstantin
2019-01-17 21:41 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ED946F0BEFE0A141B63BABBD629A2A9B3CF43C71@shsmsx102.ccr.corp.intel.com \
--to=jiayu.hu@intel.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=stable@dpdk.org \
--cc=thomas@monjalon.net \
--cc=yinan.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).