From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 96CE51B526 for ; Thu, 7 Feb 2019 14:27:40 +0100 (CET) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BDBADBE03C; Thu, 7 Feb 2019 13:27:39 +0000 (UTC) Received: from ktraynor.remote.csb (unknown [10.33.36.135]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5D57D19CB6; Thu, 7 Feb 2019 13:27:38 +0000 (UTC) From: Kevin Traynor To: Jiayu Hu Cc: Yinan Wang , Konstantin Ananyev , dpdk stable Date: Thu, 7 Feb 2019 13:25:26 +0000 Message-Id: <20190207132614.20538-20-ktraynor@redhat.com> In-Reply-To: <20190207132614.20538-1-ktraynor@redhat.com> References: <20190207132614.20538-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 07 Feb 2019 13:27:40 +0000 (UTC) Subject: [dpdk-stable] patch 'gro: check invalid TCP header length' has been queued to LTS release 18.11.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 13:27:41 -0000 Hi, FYI, your patch has been queued to LTS release 18.11.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 02/14/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Kevin Traynor --- >>From b263fe2abfb121b93eeeed9c2ab452fb67fa8db1 Mon Sep 17 00:00:00 2001 From: Jiayu Hu Date: Wed, 16 Jan 2019 08:45:33 +0800 Subject: [PATCH] gro: check invalid TCP header length [ upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ] When the TCP header length of input packets is invalid (i.e., less than 20 bytes or greater than 60 bytes), check_seq_option() will access illegal memory area when compare TCP Options, which may cause a segmentation fault. This patch adds missing invalid TCP header length check to avoid illegal memory accesses. Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4") Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") Signed-off-by: Jiayu Hu Tested-by: Yinan Wang Acked-by: Konstantin Ananyev --- lib/librte_gro/gro_tcp4.c | 7 +++++++ lib/librte_gro/gro_tcp4.h | 5 +++++ lib/librte_gro/gro_vxlan_tcp4.c | 7 +++++++ 3 files changed, 19 insertions(+) diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c index 2fe9aab3e..7d128a431 100644 --- a/lib/librte_gro/gro_tcp4.c +++ b/lib/librte_gro/gro_tcp4.c @@ -209,4 +209,11 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt, uint8_t find; + /* + * Don't process the packet whose TCP header length is greater + * than 60 bytes or less than 20 bytes. + */ + if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len))) + return -1; + eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *); ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + pkt->l2_len); diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h index 6bb30cdb9..d97924883 100644 --- a/lib/librte_gro/gro_tcp4.h +++ b/lib/librte_gro/gro_tcp4.h @@ -18,4 +18,9 @@ #define MAX_IPV4_PKT_LENGTH UINT16_MAX +/* The maximum TCP header length */ +#define MAX_TCP_HLEN 60 +#define INVALID_TCP_HDRLEN(len) \ + (((len) < sizeof(struct tcp_hdr)) || ((len) > MAX_TCP_HLEN)) + /* Header fields representing a TCP/IPv4 flow */ struct tcp4_flow_key { diff --git a/lib/librte_gro/gro_vxlan_tcp4.c b/lib/librte_gro/gro_vxlan_tcp4.c index 955ae4b56..acb9bc919 100644 --- a/lib/librte_gro/gro_vxlan_tcp4.c +++ b/lib/librte_gro/gro_vxlan_tcp4.c @@ -307,4 +307,11 @@ gro_vxlan_tcp4_reassemble(struct rte_mbuf *pkt, uint8_t find; + /* + * Don't process the packet whose TCP header length is greater + * than 60 bytes or less than 20 bytes. + */ + if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len))) + return -1; + outer_eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *); outer_ipv4_hdr = (struct ipv4_hdr *)((char *)outer_eth_hdr + -- 2.19.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-02-07 13:19:55.991016820 +0000 +++ 0020-gro-check-invalid-TCP-header-length.patch 2019-02-07 13:19:55.000000000 +0000 @@ -1,8 +1,10 @@ -From 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 Mon Sep 17 00:00:00 2001 +From b263fe2abfb121b93eeeed9c2ab452fb67fa8db1 Mon Sep 17 00:00:00 2001 From: Jiayu Hu Date: Wed, 16 Jan 2019 08:45:33 +0800 Subject: [PATCH] gro: check invalid TCP header length +[ upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ] + When the TCP header length of input packets is invalid (i.e., less than 20 bytes or greater than 60 bytes), check_seq_option() will access illegal memory area when compare TCP Options, which may @@ -13,7 +15,6 @@ Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4") Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") -Cc: stable@dpdk.org Signed-off-by: Jiayu Hu Tested-by: Yinan Wang