From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiayu.hu@intel.com>
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 by dpdk.org (Postfix) with ESMTP id 3E5661B205
 for <stable@dpdk.org>; Wed,  9 Jan 2019 03:21:00 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga007.fm.intel.com ([10.253.24.52])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 08 Jan 2019 18:20:58 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,455,1539673200"; d="scan'208";a="113234850"
Received: from dpdk15.sh.intel.com ([10.67.111.146])
 by fmsmga007.fm.intel.com with ESMTP; 08 Jan 2019 18:20:58 -0800
From: Jiayu Hu <jiayu.hu@intel.com>
To: stable@dpdk.org
Cc: Jiayu Hu <jiayu.hu@intel.com>
Date: Wed,  9 Jan 2019 10:20:50 +0800
Message-Id: <1547000450-113783-1-git-send-email-jiayu.hu@intel.com>
X-Mailer: git-send-email 2.7.4
Subject: [dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload
	calculation
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 02:21:00 -0000

When the IPv4 packet length is less than the total length of IPv4
and TCP headers, the calculated TCP payload length will overflow
and result in incorrect reassembly behaviors.

Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")

Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
---
 lib/librte_gro/gro_tcp4.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
index 61a0423..d1c6c7d 100644
--- a/lib/librte_gro/gro_tcp4.c
+++ b/lib/librte_gro/gro_tcp4.c
@@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	struct ipv4_hdr *ipv4_hdr;
 	struct tcp_hdr *tcp_hdr;
 	uint32_t sent_seq;
-	uint16_t tcp_dl, ip_id;
+	uint16_t ip_id;
+	int32_t tcp_dl;
 
 	struct tcp4_key key;
 	uint32_t cur_idx, prev_idx, item_idx;
@@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	 */
 	if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
 		return -1;
-	/* if payload length is 0, return immediately */
+	/* if payload length is less than or equal to 0, return immediately */
 	tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
 		pkt->l4_len;
-	if (tcp_dl == 0)
+	if (tcp_dl <= 0)
 		return -1;
 
 	ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
-- 
2.7.4