patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Kevin Traynor <ktraynor@redhat.com>
To: Bruce Richardson <bruce.richardson@intel.com>
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
	Keith Wiles <keith.wiles@intel.com>,
	dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'net/tap: add buffer overflow checks before checksum' has been queued to LTS release 18.11.1
Date: Fri,  4 Jan 2019 13:24:45 +0000	[thread overview]
Message-ID: <20190104132455.15170-63-ktraynor@redhat.com> (raw)
In-Reply-To: <20190104132455.15170-1-ktraynor@redhat.com>

Hi,

FYI, your patch has been queued to LTS release 18.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 01/11/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>From 8bfda00f4cc63d61cbb36dfc4fb30d3374821c6b Mon Sep 17 00:00:00 2001
From: Bruce Richardson <bruce.richardson@intel.com>
Date: Mon, 17 Dec 2018 15:50:05 +0000
Subject: [PATCH] net/tap: add buffer overflow checks before checksum

[ upstream commit 1168a4fd193c3bf981c4889cba150a7bb4c1d169 ]

The checksum calculation APIs take only the packet headers pointers as
parameters, so they assume that the lengths reported in those headers
are correct. However, a malicious packet could claim to be far larger
than it is, so we need to check the header lengths in the driver before
calling the checksum API.

A better fix would be to allow the lengths to be passed into the API
function, but that would be an API break, so fixing in TAP driver for
now.

Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support")

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Keith Wiles <keith.wiles@intel.com>
---
 drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 49afd38dd..0ec030bef 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -282,4 +282,10 @@ tap_verify_csum(struct rte_mbuf *mbuf)
 		if (unlikely(l2_len + l3_len > rte_pktmbuf_data_len(mbuf)))
 			return;
+		/* check that the total length reported by header is not
+		 * greater than the total received size
+		 */
+		if (l2_len + rte_be_to_cpu_16(iph->total_length) >
+				rte_pktmbuf_data_len(mbuf))
+			return;
 
 		cksum = ~rte_raw_cksum(iph, l3_len);
@@ -288,5 +294,13 @@ tap_verify_csum(struct rte_mbuf *mbuf)
 			PKT_RX_IP_CKSUM_GOOD;
 	} else if (l3 == RTE_PTYPE_L3_IPV6) {
+		struct ipv6_hdr *iph = l3_hdr;
+
 		l3_len = sizeof(struct ipv6_hdr);
+		/* check that the total length reported by header is not
+		 * greater than the total received size
+		 */
+		if (l2_len + l3_len + rte_be_to_cpu_16(iph->payload_len) >
+				rte_pktmbuf_data_len(mbuf))
+			return;
 	} else {
 		/* IPv6 extensions are not supported */
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-01-04 13:23:08.980683763 +0000
+++ 0063-net-tap-add-buffer-overflow-checks-before-checksum.patch	2019-01-04 13:23:07.000000000 +0000
@@ -1,8 +1,10 @@
-From 1168a4fd193c3bf981c4889cba150a7bb4c1d169 Mon Sep 17 00:00:00 2001
+From 8bfda00f4cc63d61cbb36dfc4fb30d3374821c6b Mon Sep 17 00:00:00 2001
 From: Bruce Richardson <bruce.richardson@intel.com>
 Date: Mon, 17 Dec 2018 15:50:05 +0000
 Subject: [PATCH] net/tap: add buffer overflow checks before checksum
 
+[ upstream commit 1168a4fd193c3bf981c4889cba150a7bb4c1d169 ]
+
 The checksum calculation APIs take only the packet headers pointers as
 parameters, so they assume that the lengths reported in those headers
 are correct. However, a malicious packet could claim to be far larger
@@ -14,7 +16,6 @@
 now.
 
 Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support")
-Cc: stable@dpdk.org
 
 Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
 Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>

  parent reply	other threads:[~2019-01-04 13:28 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-04 13:23 [dpdk-stable] patch 'config: enable C11 memory model for armv8 with meson' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'mk: do not install meson.build in usertools' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'log: add missing experimental tag' " Kevin Traynor
2019-01-10  9:52   ` David Marchand
2019-01-10 10:28     ` Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'bus/vmbus: fix race in subchannel creation' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'net/netvsc: enable SR-IOV' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'net/netvsc: disable multi-queue on older servers' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'bus/dpaa: do nothing if bus not present' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'doc: fix garbage text in generated HTML guides' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'eal: clean up unused files on initialization' " Kevin Traynor
2019-01-08 16:53   ` Burakov, Anatoly
2019-01-08 18:09     ` Kevin Traynor
2019-01-10 11:38       ` Burakov, Anatoly
2019-01-04 13:23 ` [dpdk-stable] patch 'gro: fix overflow of payload length calculation' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'eventdev: fix error log in eth Rx adapter' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'eventdev: remove redundant timer adapter function prototypes' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'app/eventdev: detect deadlock for timer event producer' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'eventdev: fix xstats documentation typo' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'eventdev: fix eth Tx adapter queue count checks' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'compressdev: fix structure comment' " Kevin Traynor
2019-01-04 13:23 ` [dpdk-stable] patch 'bb/turbo_sw: fix dynamic linking' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'crypto/qat: fix block size error handling' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'crypto/qat: fix message for CCM when setting unused counter' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'crypto/qat: fix message for NULL algo " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'common/qat: remove check of valid firmware response' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'compress/qat: fix return on building request error' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'compress/qat: fix dequeue error counter' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'timer: fix race condition' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'ip_frag: fix IPv6 when MTU sizes not aligned to 8 bytes' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'eal: fix missing newline in a log' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'eal: fix detection of duplicate option register' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'eal: fix leak on multi-process request error' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'memzone: fix unlock on initialization failure' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'malloc: fix finding maximum contiguous IOVA size' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'malloc: notify primary process about hotplug in secondary' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'malloc: fix duplicate mem event notification' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'malloc: make alignment requirements more stringent' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'mem: fix segment fd API error code for external segment' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'mem: check for memfd support in segment fd API' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'doc: remove note on memory mode limitation in multi-process' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'test/mem: add external mem autotest to meson' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'test/fbarray: add " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'eal: close multi-process socket during cleanup' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'hash: fix return of bulk lookup' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'hash: fix out-of-bound write while freeing key slot' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'devtools: fix return of forbidden addition checks' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'malloc: fix deadlock when reading stats' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/i40e: clear VF reset flags after reset' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/i40e: fix statistics inconsistency' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/netvsc: fix transmit descriptor pool cleanup' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/netvsc: fix probe when VF not found' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'vhost: fix race condition when adding fd in the fdset' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ifc: store only registered device instance' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: add reset reason in Rx error' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: skip packet with wrong request id' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: destroy queues if start failed' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: do not reconfigure queues on reset' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: add supported RSS offloads types' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: fix invalid reference to variable in union' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: fix cleanup for out of order packets' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/ena: update completion queue after cleanup' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/cxgbe: fix overlapping regions in TID table' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/cxgbe: skip parsing match items with no spec' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/i40e: fix config name in comment' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/mlx5: fix Multi-Packet RQ mempool free' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net: fix underflow for checksum of invalid IPv4 packets' " Kevin Traynor
2019-01-04 13:24 ` Kevin Traynor [this message]
2019-01-04 13:24 ` [dpdk-stable] patch 'net/vhost: fix double free of MAC address' " Kevin Traynor
2019-01-07  0:04   ` Hideyuki Yamashita
2019-01-07 10:23     ` Kevin Traynor
2019-01-09  7:39       ` Hideyuki Yamashita
2019-01-09 11:04         ` Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'vhost: enforce avail index and desc read ordering' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'vhost: enforce desc flags and content " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/af_packet: fix setting MTU decrements sockaddr twice' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/tap: fix possible uninitialized variable access' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/avf/base: fix comment referencing internal data' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'net/sfc: pass HW Tx queue index on creation' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'telemetry: fix using ports of different types' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'sched: fix memory leak on init failure' " Kevin Traynor
2019-01-04 13:24 ` [dpdk-stable] patch 'app/testpmd: expand RED queue thresholds to 64 bits' " Kevin Traynor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190104132455.15170-63-ktraynor@redhat.com \
    --to=ktraynor@redhat.com \
    --cc=bruce.richardson@intel.com \
    --cc=ferruh.yigit@intel.com \
    --cc=keith.wiles@intel.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).