[dpdk-stable] patch 'ip_frag: check fragment length of incoming packet' has been queued to stable release 18.08.1
Kevin Traynor
ktraynor at redhat.com
Fri Nov 23 11:26:55 CET 2018
Hi,
FYI, your patch has been queued to stable release 18.08.1
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/29/18. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the patch applied
to the branch. If the code is different (ie: not only metadata diffs), due for example to
a change in context or macro names, please double check it.
Thanks.
Kevin Traynor
---
>From 8110ef175034b7a54ff2dfab80aabbf0fc1a7f22 Mon Sep 17 00:00:00 2001
From: Konstantin Ananyev <konstantin.ananyev at intel.com>
Date: Mon, 5 Nov 2018 12:18:57 +0000
Subject: [PATCH] ip_frag: check fragment length of incoming packet
[ upstream commit 7f0983ee331c9f08dabdb5b7f555ddf399003dcf ]
Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
<ofs=0,len=100, flags=MF>
<ofs=96,len=100, flags=MF>
<ofs=200,len=0,flags=MF>
<ofs=200,len=100,flags=0>
can trigger the problem.
To overcome such situation, added check that fragment length
of incoming value is greater than zero.
Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Reported-by: Ryan E Hall <ryan.e.hall at intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin at intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
---
lib/librte_ip_frag/rte_ipv4_reassembly.c | 22 +++++++++++++------
lib/librte_ip_frag/rte_ipv6_reassembly.c | 28 +++++++++++++++++-------
2 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index 4956b99ea..1029b7abc 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -37,6 +37,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
if(fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
@@ -97,12 +100,12 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
struct rte_mbuf *
rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv4_hdr *ip_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv4_hdr *ip_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
const unaligned_uint64_t *psd;
- uint16_t ip_len;
uint16_t flag_offset, ip_ofs, ip_flag;
+ int32_t ip_len;
flag_offset = rte_be_to_cpu_16(ip_hdr->fragment_offset);
@@ -117,10 +120,9 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
ip_ofs *= IPV4_HDR_OFFSET_UNITS;
- ip_len = (uint16_t)(rte_be_to_cpu_16(ip_hdr->total_length) -
- mb->l3_len);
+ ip_len = rte_be_to_cpu_16(ip_hdr->total_length) - mb->l3_len;
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
@@ -130,4 +132,10 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
if ((fp = ip_frag_find(tbl, dr, &key, tms)) == NULL) {
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index db249fe60..855e3f740 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -60,6 +60,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
if (fp->frags[i].ofs + fp->frags[i].len == ofs) {
+ RTE_ASSERT(curr_idx != i);
+
/* adjust start of the last fragment data. */
- rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
+ rte_pktmbuf_adj(m,
+ (uint16_t)(m->l2_len + m->l3_len));
rte_pktmbuf_chain(fp->frags[i].mb, m);
@@ -136,10 +139,11 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
struct rte_mbuf *
rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
- struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
- struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
+ struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms,
+ struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr)
{
struct ip_frag_pkt *fp;
struct ip_frag_key key;
- uint16_t ip_len, ip_ofs;
+ uint16_t ip_ofs;
+ int32_t ip_len;
rte_memcpy(&key.src_dst[0], ip_hdr->src_addr, 16);
@@ -152,7 +156,8 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
/*
- * as per RFC2460, payload length contains all extension headers as well.
- * since we don't support anything but frag headers, this is what we remove
- * from the payload len.
+ * as per RFC2460, payload length contains all extension headers
+ * as well.
+ * since we don't support anything but frag headers,
+ * this is what we remove from the payload len.
*/
ip_len = rte_be_to_cpu_16(ip_hdr->payload_len) - sizeof(*frag_hdr);
@@ -160,5 +165,6 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
IP_FRAG_LOG(DEBUG, "%s:%d:\n"
"mbuf: %p, tms: %" PRIu64
- ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, ofs: %u, len: %u, flags: %#x\n"
+ ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, "
+ "ofs: %u, len: %d, flags: %#x\n"
"tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, "
"max_entries: %u, use_entries: %u\n\n",
@@ -169,4 +175,10 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
tbl->use_entries);
+ /* check that fragment length is greater then zero. */
+ if (ip_len <= 0) {
+ IP_FRAG_MBUF2DR(dr, mb);
+ return NULL;
+ }
+
/* try to find/add entry into the fragment's table. */
fp = ip_frag_find(tbl, dr, &key, tms);
--
2.19.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2018-11-23 10:22:55.580563827 +0000
+++ 0051-ip_frag-check-fragment-length-of-incoming-packet.patch 2018-11-23 10:22:54.000000000 +0000
@@ -1,8 +1,10 @@
-From 7f0983ee331c9f08dabdb5b7f555ddf399003dcf Mon Sep 17 00:00:00 2001
+From 8110ef175034b7a54ff2dfab80aabbf0fc1a7f22 Mon Sep 17 00:00:00 2001
From: Konstantin Ananyev <konstantin.ananyev at intel.com>
Date: Mon, 5 Nov 2018 12:18:57 +0000
Subject: [PATCH] ip_frag: check fragment length of incoming packet
+[ upstream commit 7f0983ee331c9f08dabdb5b7f555ddf399003dcf ]
+
Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
@@ -16,7 +18,6 @@
Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
-Cc: stable at dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall at intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin at intel.com>
More information about the stable
mailing list