[dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation

[Yongseok Koh]

> On Jan 8, 2019, at 6:20 PM, Jiayu Hu <jiayu.hu at intel.com> wrote:
> 
> When the IPv4 packet length is less than the total length of IPv4
> and TCP headers, the calculated TCP payload length will overflow
> and result in incorrect reassembly behaviors.
> 
> Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
> 
> Signed-off-by: Jiayu Hu <jiayu.hu at intel.com>
> ---

Applied to stable/17.11

Thanks,
Yongseok

> lib/librte_gro/gro_tcp4.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
> index 61a0423..d1c6c7d 100644
> --- a/lib/librte_gro/gro_tcp4.c
> +++ b/lib/librte_gro/gro_tcp4.c
> @@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> 	struct ipv4_hdr *ipv4_hdr;
> 	struct tcp_hdr *tcp_hdr;
> 	uint32_t sent_seq;
> -	uint16_t tcp_dl, ip_id;
> +	uint16_t ip_id;
> +	int32_t tcp_dl;
> 
> 	struct tcp4_key key;
> 	uint32_t cur_idx, prev_idx, item_idx;
> @@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> 	 */
> 	if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
> 		return -1;
> -	/* if payload length is 0, return immediately */
> +	/* if payload length is less than or equal to 0, return immediately */
> 	tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
> 		pkt->l4_len;
> -	if (tcp_dl == 0)
> +	if (tcp_dl <= 0)
> 		return -1;
> 
> 	ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
> -- 
> 2.7.4
>