[dpdk-stable] patch 'gro: check invalid TCP header length' has been queued to LTS release 18.11.1

Kevin Traynor ktraynor at redhat.com
Thu Feb 7 14:25:26 CET 2019

Previous message: [dpdk-stable] patch 'app/pdump: fix vdev cleanup' has been queued to LTS release 18.11.1
Next message: [dpdk-stable] patch 'doc: add GRO limitations in programmers guide' has been queued to LTS release 18.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to LTS release 18.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/14/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>From b263fe2abfb121b93eeeed9c2ab452fb67fa8db1 Mon Sep 17 00:00:00 2001
From: Jiayu Hu <jiayu.hu at intel.com>
Date: Wed, 16 Jan 2019 08:45:33 +0800
Subject: [PATCH] gro: check invalid TCP header length

[ upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ]

When the TCP header length of input packets is invalid (i.e., less
than 20 bytes or greater than 60 bytes), check_seq_option() will
access illegal memory area when compare TCP Options, which may
cause a segmentation fault.

This patch adds missing invalid TCP header length check to avoid
illegal memory accesses.

Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO")

Signed-off-by: Jiayu Hu <jiayu.hu at intel.com>
Tested-by: Yinan Wang <yinan.wang at intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
---
 lib/librte_gro/gro_tcp4.c       | 7 +++++++
 lib/librte_gro/gro_tcp4.h       | 5 +++++
 lib/librte_gro/gro_vxlan_tcp4.c | 7 +++++++
 3 files changed, 19 insertions(+)

diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
index 2fe9aab3e..7d128a431 100644
--- a/lib/librte_gro/gro_tcp4.c
+++ b/lib/librte_gro/gro_tcp4.c
@@ -209,4 +209,11 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	uint8_t find;
 
+	/*
+	 * Don't process the packet whose TCP header length is greater
+	 * than 60 bytes or less than 20 bytes.
+	 */
+	if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len)))
+		return -1;
+
 	eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
 	ipv4_hdr = (struct ipv4_hdr *)((char *)eth_hdr + pkt->l2_len);
diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h
index 6bb30cdb9..d97924883 100644
--- a/lib/librte_gro/gro_tcp4.h
+++ b/lib/librte_gro/gro_tcp4.h
@@ -18,4 +18,9 @@
 #define MAX_IPV4_PKT_LENGTH UINT16_MAX
 
+/* The maximum TCP header length */
+#define MAX_TCP_HLEN 60
+#define INVALID_TCP_HDRLEN(len) \
+	(((len) < sizeof(struct tcp_hdr)) || ((len) > MAX_TCP_HLEN))
+
 /* Header fields representing a TCP/IPv4 flow */
 struct tcp4_flow_key {
diff --git a/lib/librte_gro/gro_vxlan_tcp4.c b/lib/librte_gro/gro_vxlan_tcp4.c
index 955ae4b56..acb9bc919 100644
--- a/lib/librte_gro/gro_vxlan_tcp4.c
+++ b/lib/librte_gro/gro_vxlan_tcp4.c
@@ -307,4 +307,11 @@ gro_vxlan_tcp4_reassemble(struct rte_mbuf *pkt,
 	uint8_t find;
 
+	/*
+	 * Don't process the packet whose TCP header length is greater
+	 * than 60 bytes or less than 20 bytes.
+	 */
+	if (unlikely(INVALID_TCP_HDRLEN(pkt->l4_len)))
+		return -1;
+
 	outer_eth_hdr = rte_pktmbuf_mtod(pkt, struct ether_hdr *);
 	outer_ipv4_hdr = (struct ipv4_hdr *)((char *)outer_eth_hdr +
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-02-07 13:19:55.991016820 +0000
+++ 0020-gro-check-invalid-TCP-header-length.patch	2019-02-07 13:19:55.000000000 +0000
@@ -1,8 +1,10 @@
-From 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 Mon Sep 17 00:00:00 2001
+From b263fe2abfb121b93eeeed9c2ab452fb67fa8db1 Mon Sep 17 00:00:00 2001
 From: Jiayu Hu <jiayu.hu at intel.com>
 Date: Wed, 16 Jan 2019 08:45:33 +0800
 Subject: [PATCH] gro: check invalid TCP header length
 
+[ upstream commit 7ccc7a05d6ce57a8db88ccc70d507e7e3d51cd37 ]
+
 When the TCP header length of input packets is invalid (i.e., less
 than 20 bytes or greater than 60 bytes), check_seq_option() will
 access illegal memory area when compare TCP Options, which may
@@ -13,7 +15,6 @@
 
 Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
 Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO")
-Cc: stable at dpdk.org
 
 Signed-off-by: Jiayu Hu <jiayu.hu at intel.com>
 Tested-by: Yinan Wang <yinan.wang at intel.com>

Previous message: [dpdk-stable] patch 'app/pdump: fix vdev cleanup' has been queued to LTS release 18.11.1
Next message: [dpdk-stable] patch 'doc: add GRO limitations in programmers guide' has been queued to LTS release 18.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list