[PATCH v1] gro: bug fix in identifying 0 length tcp packets

Morten Brørup mb at smartsharesystems.com
Mon Apr 4 08:22:31 CEST 2022

Previous message (by thread): [PATCH v1] gro: bug fix in identifying 0 length tcp packets
Next message (by thread): [PATCH v2] gro: bug fix in identifying 0 length tcp packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Kumara Parameshwaran [mailto:kumaraparamesh92 at gmail.com]
> Sent: Sunday, 3 April 2022 13.51
> 
> As the minimum Ethernet frame size is 64 bytes, a 0 length
> tcp payload without tcp options would be 54 bytes and hence
> there would be padding. So it would be incorrect to use the
> packet length to determine the tcp data length.
> 
> Fixes: 1e4cf4d6d4fb ("gro: cleanup")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Kumara Parameshwaran <kparameshwar at vmware.com>
> ---
> v1:
> 	Do not use packet length to determine the tcp data length as
> 	the packet length could have padded bytes. This would lead
> 	to addition of 0 length tcp packets into the GRO layer when
> 	there ethernet fram is padded.
>  lib/gro/gro_tcp4.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/gro/gro_tcp4.c b/lib/gro/gro_tcp4.c
> index 7498c66..45e3f48 100644
> --- a/lib/gro/gro_tcp4.c
> +++ b/lib/gro/gro_tcp4.c
> @@ -198,7 +198,7 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
>  	struct rte_tcp_hdr *tcp_hdr;
>  	uint32_t sent_seq;
>  	int32_t tcp_dl;
> -	uint16_t ip_id, hdr_len, frag_off;
> +	uint16_t ip_id, frag_off;
>  	uint8_t is_atomic;
> 
>  	struct tcp4_flow_key key;
> @@ -217,7 +217,6 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
>  	eth_hdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *);
>  	ipv4_hdr = (struct rte_ipv4_hdr *)((char *)eth_hdr + pkt-
> >l2_len);
>  	tcp_hdr = (struct rte_tcp_hdr *)((char *)ipv4_hdr + pkt->l3_len);
> -	hdr_len = pkt->l2_len + pkt->l3_len + pkt->l4_len;
> 
>  	/*
>  	 * Don't process the packet which has FIN, SYN, RST, PSH, URG,
> ECE
> @@ -229,7 +228,7 @@ gro_tcp4_reassemble(struct rte_mbuf *pkt,
>  	 * Don't process the packet whose payload length is less than or
>  	 * equal to 0.
>  	 */
> -	tcp_dl = pkt->pkt_len - hdr_len;
> +	tcp_dl = rte_be_to_cpu_16(ipv4_hdr->total_length) - (pkt->l3_len
> + pkt->l4_len);
>  	if (tcp_dl <= 0)
>  		return -1;
> 
> --
> 2.7.4
> 

Please confirm that this does not introduce a buffer overrun regarding malformed packets, e.g. a small packet with ipv4_hdr->total_length set to 65000.

I haven't looked at the patch in context, so my concern may be irrelevant.

-Morten

Previous message (by thread): [PATCH v1] gro: bug fix in identifying 0 length tcp packets
Next message (by thread): [PATCH v2] gro: bug fix in identifying 0 length tcp packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list