* [dpdk-stable] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets [not found] <20181217155005.13457-1-bruce.richardson@intel.com> @ 2018-12-17 15:50 ` Bruce Richardson 2018-12-18 13:15 ` [dpdk-stable] [dpdk-dev] " Hemant Agrawal 2018-12-17 15:50 ` [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson 1 sibling, 1 reply; 6+ messages in thread From: Bruce Richardson @ 2018-12-17 15:50 UTC (permalink / raw) To: Olivier Matz, Keith Wiles; +Cc: dev, Bruce Richardson, stable If we receive a packet with an invalid IP header, where the total packet length is reported as less than the IP header length, we would end up getting an underflow in the length subtraction. This could cause us to checksum e.g. 4GB of data in the case where the result of the subtraction was -1. We fix this by having the function return 0 - an invalid sum - when the length is less than the header length. CC: stable@dpdk.org Fixes: af75078fece3 ("first public release") Fixes: 6006818cfb26 ("net: new checksum functions") Signed-off-by: Bruce Richardson <bruce.richardson@intel.com> --- lib/librte_net/rte_ip.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h index f2a8904a2..f9b909090 100644 --- a/lib/librte_net/rte_ip.h +++ b/lib/librte_net/rte_ip.h @@ -310,16 +310,20 @@ rte_ipv4_phdr_cksum(const struct ipv4_hdr *ipv4_hdr, uint64_t ol_flags) * @param l4_hdr * The pointer to the beginning of the L4 header. * @return - * The complemented checksum to set in the IP packet. + * The complemented checksum to set in the IP packet + * or 0 on error */ static inline uint16_t rte_ipv4_udptcp_cksum(const struct ipv4_hdr *ipv4_hdr, const void *l4_hdr) { uint32_t cksum; - uint32_t l4_len; + uint32_t l3_len, l4_len; + + l3_len = rte_be_to_cpu_16(ipv4_hdr->total_length); + if (l3_len < sizeof(struct ipv4_hdr)) + return 0; - l4_len = (uint32_t)(rte_be_to_cpu_16(ipv4_hdr->total_length) - - sizeof(struct ipv4_hdr)); + l4_len = l3_len - sizeof(struct ipv4_hdr); cksum = rte_raw_cksum(l4_hdr, l4_len); cksum += rte_ipv4_phdr_cksum(ipv4_hdr, 0); -- 2.19.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-stable] [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets 2018-12-17 15:50 ` [dpdk-stable] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson @ 2018-12-18 13:15 ` Hemant Agrawal 2018-12-18 13:18 ` Hemant Agrawal 0 siblings, 1 reply; 6+ messages in thread From: Hemant Agrawal @ 2018-12-18 13:15 UTC (permalink / raw) To: Bruce Richardson, Olivier Matz, Keith Wiles; +Cc: dev, stable Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com<mailto:hemant.agrawal@nxp.com>> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-stable] [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets 2018-12-18 13:15 ` [dpdk-stable] [dpdk-dev] " Hemant Agrawal @ 2018-12-18 13:18 ` Hemant Agrawal 0 siblings, 0 replies; 6+ messages in thread From: Hemant Agrawal @ 2018-12-18 13:18 UTC (permalink / raw) To: Bruce Richardson, Olivier Matz, Keith Wiles; +Cc: dev, stable After fixing my mail client issues. Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com><mailto:hemant.agrawal@nxp.com> On 18-Dec-18 6:45 PM, Hemant Agrawal wrote: Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com<mailto:hemant.agrawal@nxp.com><mailto:hemant.agrawal@nxp.com><mailto:hemant.agrawal@nxp.com>> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum [not found] <20181217155005.13457-1-bruce.richardson@intel.com> 2018-12-17 15:50 ` [dpdk-stable] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson @ 2018-12-17 15:50 ` Bruce Richardson 2018-12-20 19:08 ` [dpdk-stable] [dpdk-dev] " Ferruh Yigit 2018-12-20 19:33 ` [dpdk-stable] " Wiles, Keith 1 sibling, 2 replies; 6+ messages in thread From: Bruce Richardson @ 2018-12-17 15:50 UTC (permalink / raw) To: Olivier Matz, Keith Wiles; +Cc: dev, Bruce Richardson, stable The checksum calculation APIs take only the packet headers pointers as parameters, so they assume that the lengths reported in those headers are correct. However, a malicious packet could claim to be far larger than it is, so we need to check the header lengths in the driver before calling the checksum API. A better fix would be to allow the lengths to be passed into the API function, but that would be an API break, so fixing in TAP driver for now. CC: stable@dpdk.org Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") Signed-off-by: Bruce Richardson <bruce.richardson@intel.com> --- drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index 49afd38dd..0ec030bef 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -281,13 +281,27 @@ tap_verify_csum(struct rte_mbuf *mbuf) l3_len = 4 * (iph->version_ihl & 0xf); if (unlikely(l2_len + l3_len > rte_pktmbuf_data_len(mbuf))) return; + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + rte_be_to_cpu_16(iph->total_length) > + rte_pktmbuf_data_len(mbuf)) + return; cksum = ~rte_raw_cksum(iph, l3_len); mbuf->ol_flags |= cksum ? PKT_RX_IP_CKSUM_BAD : PKT_RX_IP_CKSUM_GOOD; } else if (l3 == RTE_PTYPE_L3_IPV6) { + struct ipv6_hdr *iph = l3_hdr; + l3_len = sizeof(struct ipv6_hdr); + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + l3_len + rte_be_to_cpu_16(iph->payload_len) > + rte_pktmbuf_data_len(mbuf)) + return; } else { /* IPv6 extensions are not supported */ return; -- 2.19.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-stable] [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum 2018-12-17 15:50 ` [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson @ 2018-12-20 19:08 ` Ferruh Yigit 2018-12-20 19:33 ` [dpdk-stable] " Wiles, Keith 1 sibling, 0 replies; 6+ messages in thread From: Ferruh Yigit @ 2018-12-20 19:08 UTC (permalink / raw) To: Bruce Richardson, Olivier Matz, Keith Wiles; +Cc: dev, stable On 12/17/2018 3:50 PM, Bruce Richardson wrote: > The checksum calculation APIs take only the packet headers pointers as > parameters, so they assume that the lengths reported in those headers are > correct. However, a malicious packet could claim to be far larger than it > is, so we need to check the header lengths in the driver before calling > the checksum API. > > A better fix would be to allow the lengths to be passed into the API > function, but that would be an API break, so fixing in TAP driver for > now. > > CC: stable@dpdk.org > Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") > > Signed-off-by: Bruce Richardson <bruce.richardson@intel.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum 2018-12-17 15:50 ` [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson 2018-12-20 19:08 ` [dpdk-stable] [dpdk-dev] " Ferruh Yigit @ 2018-12-20 19:33 ` Wiles, Keith 1 sibling, 0 replies; 6+ messages in thread From: Wiles, Keith @ 2018-12-20 19:33 UTC (permalink / raw) To: Richardson, Bruce; +Cc: Olivier Matz, dev, stable > On Dec 17, 2018, at 9:50 AM, Richardson, Bruce <bruce.richardson@intel.com> wrote: > > The checksum calculation APIs take only the packet headers pointers as > parameters, so they assume that the lengths reported in those headers are > correct. However, a malicious packet could claim to be far larger than it > is, so we need to check the header lengths in the driver before calling > the checksum API. > > A better fix would be to allow the lengths to be passed into the API > function, but that would be an API break, so fixing in TAP driver for > now. > > CC: stable@dpdk.org > Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") > > Signed-off-by: Bruce Richardson <bruce.richardson@intel.com> > — Acked-by: Keith Wiles <keith.wiles@intel.com> Regards, Keith ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-12-20 19:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20181217155005.13457-1-bruce.richardson@intel.com> 2018-12-17 15:50 ` [dpdk-stable] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson 2018-12-18 13:15 ` [dpdk-stable] [dpdk-dev] " Hemant Agrawal 2018-12-18 13:18 ` Hemant Agrawal 2018-12-17 15:50 ` [dpdk-stable] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson 2018-12-20 19:08 ` [dpdk-stable] [dpdk-dev] " Ferruh Yigit 2018-12-20 19:33 ` [dpdk-stable] " Wiles, Keith
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).