From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 71F3E1B494 for ; Fri, 4 Jan 2019 14:28:22 +0100 (CET) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CA93687632; Fri, 4 Jan 2019 13:28:21 +0000 (UTC) Received: from ktraynor.remote.csb (ovpn-117-13.ams2.redhat.com [10.36.117.13]) by smtp.corp.redhat.com (Postfix) with ESMTP id 182BF5C1A1; Fri, 4 Jan 2019 13:28:19 +0000 (UTC) From: Kevin Traynor To: Bruce Richardson Cc: Ferruh Yigit , Keith Wiles , dpdk stable Date: Fri, 4 Jan 2019 13:24:45 +0000 Message-Id: <20190104132455.15170-63-ktraynor@redhat.com> In-Reply-To: <20190104132455.15170-1-ktraynor@redhat.com> References: <20190104132455.15170-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 04 Jan 2019 13:28:21 +0000 (UTC) Subject: [dpdk-stable] patch 'net/tap: add buffer overflow checks before checksum' has been queued to LTS release 18.11.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2019 13:28:22 -0000 Hi, FYI, your patch has been queued to LTS release 18.11.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 01/11/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Kevin Traynor --- >>From 8bfda00f4cc63d61cbb36dfc4fb30d3374821c6b Mon Sep 17 00:00:00 2001 From: Bruce Richardson Date: Mon, 17 Dec 2018 15:50:05 +0000 Subject: [PATCH] net/tap: add buffer overflow checks before checksum [ upstream commit 1168a4fd193c3bf981c4889cba150a7bb4c1d169 ] The checksum calculation APIs take only the packet headers pointers as parameters, so they assume that the lengths reported in those headers are correct. However, a malicious packet could claim to be far larger than it is, so we need to check the header lengths in the driver before calling the checksum API. A better fix would be to allow the lengths to be passed into the API function, but that would be an API break, so fixing in TAP driver for now. Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") Signed-off-by: Bruce Richardson Reviewed-by: Ferruh Yigit Acked-by: Keith Wiles --- drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index 49afd38dd..0ec030bef 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -282,4 +282,10 @@ tap_verify_csum(struct rte_mbuf *mbuf) if (unlikely(l2_len + l3_len > rte_pktmbuf_data_len(mbuf))) return; + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + rte_be_to_cpu_16(iph->total_length) > + rte_pktmbuf_data_len(mbuf)) + return; cksum = ~rte_raw_cksum(iph, l3_len); @@ -288,5 +294,13 @@ tap_verify_csum(struct rte_mbuf *mbuf) PKT_RX_IP_CKSUM_GOOD; } else if (l3 == RTE_PTYPE_L3_IPV6) { + struct ipv6_hdr *iph = l3_hdr; + l3_len = sizeof(struct ipv6_hdr); + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + l3_len + rte_be_to_cpu_16(iph->payload_len) > + rte_pktmbuf_data_len(mbuf)) + return; } else { /* IPv6 extensions are not supported */ -- 2.19.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-01-04 13:23:08.980683763 +0000 +++ 0063-net-tap-add-buffer-overflow-checks-before-checksum.patch 2019-01-04 13:23:07.000000000 +0000 @@ -1,8 +1,10 @@ -From 1168a4fd193c3bf981c4889cba150a7bb4c1d169 Mon Sep 17 00:00:00 2001 +From 8bfda00f4cc63d61cbb36dfc4fb30d3374821c6b Mon Sep 17 00:00:00 2001 From: Bruce Richardson Date: Mon, 17 Dec 2018 15:50:05 +0000 Subject: [PATCH] net/tap: add buffer overflow checks before checksum +[ upstream commit 1168a4fd193c3bf981c4889cba150a7bb4c1d169 ] + The checksum calculation APIs take only the packet headers pointers as parameters, so they assume that the lengths reported in those headers are correct. However, a malicious packet could claim to be far larger @@ -14,7 +16,6 @@ now. Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") -Cc: stable@dpdk.org Signed-off-by: Bruce Richardson Reviewed-by: Ferruh Yigit