[dpdk-stable] [PATCH 17.11] gro: fix overflow of TCP payload calculation
Yongseok Koh
yskoh at mellanox.com
Wed Jan 9 10:30:07 CET 2019
> On Jan 8, 2019, at 6:20 PM, Jiayu Hu <jiayu.hu at intel.com> wrote:
>
> When the IPv4 packet length is less than the total length of IPv4
> and TCP headers, the calculated TCP payload length will overflow
> and result in incorrect reassembly behaviors.
>
> Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4")
>
> Signed-off-by: Jiayu Hu <jiayu.hu at intel.com>
> ---
Applied to stable/17.11
Thanks,
Yongseok
> lib/librte_gro/gro_tcp4.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/lib/librte_gro/gro_tcp4.c b/lib/librte_gro/gro_tcp4.c
> index 61a0423..d1c6c7d 100644
> --- a/lib/librte_gro/gro_tcp4.c
> +++ b/lib/librte_gro/gro_tcp4.c
> @@ -343,7 +343,8 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> struct ipv4_hdr *ipv4_hdr;
> struct tcp_hdr *tcp_hdr;
> uint32_t sent_seq;
> - uint16_t tcp_dl, ip_id;
> + uint16_t ip_id;
> + int32_t tcp_dl;
>
> struct tcp4_key key;
> uint32_t cur_idx, prev_idx, item_idx;
> @@ -360,10 +361,10 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
> */
> if (tcp_hdr->tcp_flags != TCP_ACK_FLAG)
> return -1;
> - /* if payload length is 0, return immediately */
> + /* if payload length is less than or equal to 0, return immediately */
> tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - pkt->l3_len -
> pkt->l4_len;
> - if (tcp_dl == 0)
> + if (tcp_dl <= 0)
> return -1;
>
> ip_id = rte_be_to_cpu_16(ipv4_hdr->packet_id);
> --
> 2.7.4
>
More information about the stable
mailing list