From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stephen@networkplumber.org>
Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com
 [209.85.210.195]) by dpdk.org (Postfix) with ESMTP id 5F3071B442
 for <stable@dpdk.org>; Tue,  8 Jan 2019 07:32:02 +0100 (CET)
Received: by mail-pf1-f195.google.com with SMTP id 64so1409451pfr.9
 for <stable@dpdk.org>; Mon, 07 Jan 2019 22:32:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20150623.gappssmtp.com; s=20150623;
 h=date:from:to:cc:subject:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=XFRK0cUnSC5vHi0g7Wza3dnHEevOrgF29AMYJ45OAIE=;
 b=lixf/qb10XWZpLyiAxkazNdP2fVIX5jK0z37ouX3t0SYYSP+PYqYLvB9i6JJS2nxkS
 RqYhiGbQlxepoRiov2vwWMNntiASnWz3hVl9XE5Qe3ABWrQFiCq6Lw7EULdc5aNImBly
 XscZbG0dLWCAJcsEjfhJ4jqcnhHi+BSR7UJ3lM01TmkY/ZVkV5FgW7wiyrdvXoGO2yhf
 zUHscIlTyOi8okBrEzVpSPdsiYjL6tYKeBhXCQJD3BsqLOSoFbuSuAaRTLxGtf2Xh4UJ
 /kFKSeAXaPUOti4ga9HUiLXA5vrZ9PZ5oXSMDdZa2oRuwI5tSZhXIjIRjXxMo6p6ncJi
 2jyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=XFRK0cUnSC5vHi0g7Wza3dnHEevOrgF29AMYJ45OAIE=;
 b=GcODe31ZYAG5HlLilYiqWOlm8yGUtK+/wnEm6oF+4SwuPJdtPD0RMkjtLbpjFuOqGR
 P2U98iFSJCRjt6tWeA+ItB2pP/oMSIJD3PtytFh47SyTi/efoOH6b6EVEjN9a7/KmIVD
 oxTPW4IG3srybJD1bOuBBZRIhkvdN0AM7CXw04HZMwIPtOKFQjWgdRY3P77rO+kmWVvo
 BitmWQCa6jm+A2Z1wHADh7ivO44y8Iw2EmuterWikzIcOtPtf2jQB+y9HSj9XIRdNBKz
 Mkxf8PwHp0WXj0PfZ9Q81lEOC6CHeq+/HpAiinA6JOc0RDTjsGsnGMVBvuJ+S7sQhgH7
 BhfA==
X-Gm-Message-State: AJcUukdtOF7ju5Aj3UiYY56vwo9F9gxPAzlX/AvZukR++AAKL2JxFpZ5
 Y2vdtuIP0sJhyiXOo5/fCsuVAA==
X-Google-Smtp-Source: ALg8bN5FRfOCpESv17AOlqpvdm+Belesplw2sSF5tBpUV1m9tELqQMTzbxWZnUkk1mNDQNVG/SRAEw==
X-Received: by 2002:a63:fb15:: with SMTP id o21mr446364pgh.211.1546929121440; 
 Mon, 07 Jan 2019 22:32:01 -0800 (PST)
Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127])
 by smtp.gmail.com with ESMTPSA id b4sm80211935pgq.65.2019.01.07.22.32.01
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 07 Jan 2019 22:32:01 -0800 (PST)
Date: Mon, 7 Jan 2019 22:31:51 -0800
From: Stephen Hemminger <stephen@networkplumber.org>
To: Jiayu Hu <jiayu.hu@intel.com>
Cc: dev@dpdk.org, tiwei.bie@intel.com, bruce.richardson@intel.com,
 stable@dpdk.org
Message-ID: <20190107223151.18b185b7@hermes.lan>
In-Reply-To: <1546927725-68831-1-git-send-email-jiayu.hu@intel.com>
References: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com>
 <1546927725-68831-1-git-send-email-jiayu.hu@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [dpdk-stable] [dpdk-dev] [PATCH] gro: add missing invalid
	packet checks
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 06:32:02 -0000

On Tue,  8 Jan 2019 14:08:45 +0800
Jiayu Hu <jiayu.hu@intel.com> wrote:

> +	/*
> +	 * Don't process the packet whose Ethernet, IPv4 and TCP header
> +	 * lengths are invalid. In addition, if the IPv4 header contains
> +	 * Options, the packet shouldn't be processed.
> +	 */
> +	if (unlikely(ILLEGAL_ETHER_HDRLEN(pkt->l2_len) ||
> +			ILLEGAL_IPV4_HDRLEN(pkt->l3_len) ||
> +			ILLEGAL_TCP_HDRLEN(pkt->l4_len)))
> +		return -1;

I like it when code is as picky as possible when doing optimizations because
it reduces possible security riskg.

To me this looks more confusing and not as careful as doing it like:

	if (unlikely(pkt->l2_len != ETHER_HDR_LEN))
		return -1;
	eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
	ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + ETHER_HDR_LEN);

	if (pkt->l3_len != (ipv4->version_ihl & IPV4_HDR_IHL_MASK) << 4)
		return -1;

	if (pkt->l4_len < sizeof(struct tcp_hdr))
		return -1;

You should also check for TCP options as well.

And IPv6 has same issues.