[dpdk-stable] [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length calculation
Stephen Hemminger
stephen at networkplumber.org
Tue Jan 8 07:19:18 CET 2019
On Tue, 8 Jan 2019 01:22:18 +0000
"Hu, Jiayu" <jiayu.hu at intel.com> wrote:
> > -----Original Message-----
> > From: Richardson, Bruce
> > Sent: Monday, January 7, 2019 10:30 PM
> > To: Hu, Jiayu <jiayu.hu at intel.com>
> > Cc: dev at dpdk.org; Bie, Tiwei <tiwei.bie at intel.com>; stable at dpdk.org
> > Subject: Re: [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length
> > calculation
> >
> > On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote:
> > > If we receive a packet with an invalid TCP header, whose
> > > TCP header length is less than 20 bytes (the minimal TCP
> > > header length), the calculated TCP Options length will
> > > overflow and result in incorrect reassembly behaviors.
> >
> > Please explain how changing the "len" type fixes this behaviour.
>
> Originally, 'uint16_t len = RTE_MAX(tcp_hl, tcp_hl_orig) - sizeof(struct tcp_hdr)'.
> When the TCP header length of an input packet is less than 20, which is the value of
> sizeof(struct tcp_hdr), the value of len will overflow. For example, if TCP header lengths
> of input packets are 14, the value of 'len' will be 65529 (65535-6). After then, we will
> compare TCP options via memcmp(tcp_hdr+1,..., len), which would cause segment fault.
For future safety, GRO should check header lengths for IP and TCP before looking
at packet. It is basic structure hygiene
More information about the stable
mailing list