* [dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation
@ 2019-01-09 2:20 Jiayu Hu
2019-01-09 9:30 ` Yongseok Koh
0 siblings, 1 reply; 2+ messages in thread
From: Jiayu Hu @ 2019-01-09 2:20 UTC (permalink / raw)
To: stable; +Cc: Jiayu Hu
When the IPv4 packet length is less than the total length of IPv4
and TCP headers, the calculated TCP payload length will overflow
and result in incorrect reassembly behaviors.
Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
---
lib/librte_gro/gro_tcp4.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
index 61a0423..d1c6c7d 100644
--- a/lib/librte_gro/gro_tcp4.c
+++ b/lib/librte_gro/gro_tcp4.c
@@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
struct ipv4_hdr *ipv4_hdr;
struct tcp_hdr *tcp_hdr;
uint32_t sent_seq;
- uint16_t tcp_dl, ip_id;
+ uint16_t ip_id;
+ int32_t tcp_dl;
struct tcp4_key key;
uint32_t cur_idx, prev_idx, item_idx;
@@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
*/
if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
return -1;
- /* if payload length is 0, return immediately */
+ /* if payload length is less than or equal to 0, return immediately */
tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
pkt->l4_len;
- if (tcp_dl == 0)
+ if (tcp_dl <= 0)
return -1;
ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
--
2.7.4
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation
2019-01-09 2:20 [dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation Jiayu Hu
@ 2019-01-09 9:30 ` Yongseok Koh
0 siblings, 0 replies; 2+ messages in thread
From: Yongseok Koh @ 2019-01-09 9:30 UTC (permalink / raw)
To: Jiayu Hu; +Cc: stable
> On Jan 8, 2019, at 6:20 PM, Jiayu Hu <jiayu.hu@intel.com> wrote:
>
> When the IPv4 packet length is less than the total length of IPv4
> and TCP headers, the calculated TCP payload length will overflow
> and result in incorrect reassembly behaviors.
>
> Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
>
> Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
> ---
Applied to stable/17.11
Thanks,
Yongseok
> lib/librte_gro/gro_tcp4.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
> index 61a0423..d1c6c7d 100644
> --- a/lib/librte_gro/gro_tcp4.c
> +++ b/lib/librte_gro/gro_tcp4.c
> @@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> struct ipv4_hdr *ipv4_hdr;
> struct tcp_hdr *tcp_hdr;
> uint32_t sent_seq;
> - uint16_t tcp_dl, ip_id;
> + uint16_t ip_id;
> + int32_t tcp_dl;
>
> struct tcp4_key key;
> uint32_t cur_idx, prev_idx, item_idx;
> @@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> */
> if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
> return -1;
> - /* if payload length is 0, return immediately */
> + /* if payload length is less than or equal to 0, return immediately */
> tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
> pkt->l4_len;
> - if (tcp_dl == 0)
> + if (tcp_dl <= 0)
> return -1;
>
> ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-09 9:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-09 2:20 [dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation Jiayu Hu
2019-01-09 9:30 ` Yongseok Koh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).