[dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation

[Jiayu Hu]

When the IPv4 packet length is less than the total length of IPv4
and TCP headers, the calculated TCP payload length will overflow
and result in incorrect reassembly behaviors.

Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")

Signed-off-by: Jiayu Hu <jiayu.hu at intel.com>
---
 lib/librte_gro/gro_tcp4.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
index 61a0423..d1c6c7d 100644
--- a/lib/librte_gro/gro_tcp4.c
+++ b/lib/librte_gro/gro_tcp4.c
@@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	struct ipv4_hdr *ipv4_hdr;
 	struct tcp_hdr *tcp_hdr;
 	uint32_t sent_seq;
-	uint16_t tcp_dl, ip_id;
+	uint16_t ip_id;
+	int32_t tcp_dl;
 
 	struct tcp4_key key;
 	uint32_t cur_idx, prev_idx, item_idx;
@@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
 	 */
 	if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
 		return -1;
-	/* if payload length is 0, return immediately */
+	/* if payload length is less than or equal to 0, return immediately */
 	tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
 		pkt->l4_len;
-	if (tcp_dl == 0)
+	if (tcp_dl <= 0)
 		return -1;
 
 	ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
-- 
2.7.4