From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yskoh@mellanox.com>
Received: from mellanox.co.il (mail-il-dmz.mellanox.com [193.47.165.129])
 by dpdk.org (Postfix) with ESMTP id 8ED1527D
 for <stable@dpdk.org>; Fri,  8 Mar 2019 18:49:17 +0100 (CET)
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
 yskoh@mellanox.com)
 with ESMTPS (AES256-SHA encrypted); 8 Mar 2019 19:49:14 +0200
Received: from scfae-sc-2.mti.labs.mlnx (scfae-sc-2.mti.labs.mlnx
 [10.101.0.96])
 by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id x28HloB6002625;
 Fri, 8 Mar 2019 19:49:12 +0200
From: Yongseok Koh <yskoh@mellanox.com>
To: Jiayu Hu <jiayu.hu@intel.com>
Cc: Yinan Wang <yinan.wang@intel.com>,
 Konstantin Ananyev <konstantin.ananyev@intel.com>,
 dpdk stable <stable@dpdk.org>
Date: Fri,  8 Mar 2019 09:47:28 -0800
Message-Id: <20190308174749.30771-50-yskoh@mellanox.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20190308174749.30771-1-yskoh@mellanox.com>
References: <20190308174749.30771-1-yskoh@mellanox.com>
Subject: [dpdk-stable] patch 'gro: check invalid TCP header length' has been
	queued to LTS release 17.11.6
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 17:49:17 -0000

Hi,

FYI, your patch has been queued to LTS release 17.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objection by 03/13/19. So please
shout if anyone has objection.

Also note that after the patch there's a diff of the upstream commit vs the patch applied
to the branch. If the code is different (ie: not only metadata diffs), due for example to
a change in context or macro names, please double check it.

Thanks.

Yongseok

---
>>From 46d6450b79018c3a38634e2fdd8269f9cb262fa4 Mon Sep 17 00:00:00 2001
From: Jiayu Hu <jiayu.hu@intel.com>
Date: Wed, 16 Jan 2019 08:45:33 +0800
Subject: [PATCH] gro: check invalid TCP header length

[ backported from upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ]

When the TCP header length of input packets is invalid (i.e., less
than 20 bytes or greater than 60 bytes), check_seq_option() will
access illegal memory area when compare TCP Options, which may
cause a segmentation fault.

This patch adds missing invalid TCP header length check to avoid
illegal memory accesses.

Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO")

Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
Tested-by: Yinan Wang <yinan.wang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_gro/gro_tcp4.c | 7 +++++++
 lib/librte_gro/gro_tcp4.h | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
index d1c6c7ded..5ce5104a4 100644
--- a/lib/librte_gro/gro_tcp4.c
+++ b/lib/librte_gro/gro_tcp4.c
@@ -351,6 +351,13 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	uint32_t i, max_key_num;
 	int cmp;
 
+	/*
+	 * Don't process the packet whose TCP header length is greater
+	 * than 60 bytes or less than 20 bytes.
+	 */
+	if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len)))
+		return -1;
+
 	eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
 	ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + pkt->l2_len);
 	tcp_hdr = (struct tcp_hdr *)((char *)ipv4_hdr + pkt->l3_len);
diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h
index 0a817162b..f8193d1f3 100644
--- a/lib/librte_gro/gro_tcp4.h
+++ b/lib/librte_gro/gro_tcp4.h
@@ -42,6 +42,11 @@
  */
 #define TCP4_MAX_L3_LENGTH UINT16_MAX
 
+/* The maximum TCP header length */
+#define MAX_TCP_HLEN 60
+#define INVALID_TCP_HDRLEN(len) \
+	(((len) < sizeof(struct tcp_hdr)) || ((len) > MAX_TCP_HLEN))
+
 /* criteria of mergeing packets */
 struct tcp4_key {
 	struct ether_addr eth_saddr;
-- 
2.11.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-03-08 09:46:42.693494519 -0800
+++ 0050-gro-check-invalid-TCP-header-length.patch	2019-03-08 09:46:40.248403000 -0800
@@ -1,8 +1,10 @@
-From 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 Mon Sep 17 00:00:00 2001
+From 46d6450b79018c3a38634e2fdd8269f9cb262fa4 Mon Sep 17 00:00:00 2001
 From: Jiayu Hu <jiayu.hu@intel.com>
 Date: Wed, 16 Jan 2019 08:45:33 +0800
 Subject: [PATCH] gro: check invalid TCP header length
 
+[ backported from upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ]
+
 When the TCP header length of input packets is invalid (i.e., less
 than 20 bytes or greater than 60 bytes), check_seq_option() will
 access illegal memory area when compare TCP Options, which may
@@ -13,24 +15,22 @@
 
 Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
 Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO")
-Cc: stable@dpdk.org
 
 Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
 Tested-by: Yinan Wang <yinan.wang@intel.com>
 Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
 ---
- lib/librte_gro/gro_tcp4.c       | 7 +++++++
- lib/librte_gro/gro_tcp4.h       | 5 +++++
- lib/librte_gro/gro_vxlan_tcp4.c | 7 +++++++
- 3 files changed, 19 insertions(+)
+ lib/librte_gro/gro_tcp4.c | 7 +++++++
+ lib/librte_gro/gro_tcp4.h | 5 +++++
+ 2 files changed, 12 insertions(+)
 
 diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
-index 2fe9aab3e..7d128a431 100644
+index d1c6c7ded..5ce5104a4 100644
 --- a/lib/librte_gro/gro_tcp4.c
 +++ b/lib/librte_gro/gro_tcp4.c
-@@ -208,6 +208,13 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
+@@ -351,6 +351,13 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
+ 	uint32_t i, max_key_num;
  	int cmp;
- 	uint8_t find;
  
 +	/*
 +	 * Don't process the packet whose TCP header length is greater
@@ -43,39 +43,21 @@
  	ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + pkt->l2_len);
  	tcp_hdr = (struct tcp_hdr *)((char *)ipv4_hdr + pkt->l3_len);
 diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h
-index 6bb30cdb9..d97924883 100644
+index 0a817162b..f8193d1f3 100644
 --- a/lib/librte_gro/gro_tcp4.h
 +++ b/lib/librte_gro/gro_tcp4.h
-@@ -17,6 +17,11 @@
+@@ -42,6 +42,11 @@
   */
- #define MAX_IPV4_PKT_LENGTH UINT16_MAX
+ #define TCP4_MAX_L3_LENGTH UINT16_MAX
  
 +/* The maximum TCP header length */
 +#define MAX_TCP_HLEN 60
 +#define INVALID_TCP_HDRLEN(len) \
 +	(((len) < sizeof(struct tcp_hdr)) || ((len) > MAX_TCP_HLEN))
 +
- /* Header fields representing a TCP/IPv4 flow */
- struct tcp4_flow_key {
+ /* criteria of mergeing packets */
+ struct tcp4_key {
  	struct ether_addr eth_saddr;
-diff --git a/lib/librte_gro/gro_vxlan_tcp4.c b/lib/librte_gro/gro_vxlan_tcp4.c
-index 955ae4b56..acb9bc919 100644
---- a/lib/librte_gro/gro_vxlan_tcp4.c
-+++ b/lib/librte_gro/gro_vxlan_tcp4.c
-@@ -306,6 +306,13 @@ gro_vxlan_tcp4_reassemble(struct rte_mbuf *pkt,
- 	uint16_t hdr_len;
- 	uint8_t find;
- 
-+	/*
-+	 * Don't process the packet whose TCP header length is greater
-+	 * than 60 bytes or less than 20 bytes.
-+	 */
-+	if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len)))
-+		return -1;
-+
- 	outer_eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
- 	outer_ipv4_hdr = (struct ipv4_hdr *)((char *)outer_eth_hdr +
- 			pkt->outer_l2_len);
 -- 
 2.11.0