From patchwork Mon Dec 17 15:50:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bruce Richardson X-Patchwork-Id: 49011 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 756B11B736; Mon, 17 Dec 2018 16:50:38 +0100 (CET) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 96B0D1B6F7 for ; Mon, 17 Dec 2018 16:50:36 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Dec 2018 07:50:19 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,365,1539673200"; d="scan'208";a="130652856" Received: from silpixa00399126.ir.intel.com (HELO silpixa00399126.ger.corp.intel.com) ([10.237.222.236]) by fmsmga001.fm.intel.com with ESMTP; 17 Dec 2018 07:50:16 -0800 From: Bruce Richardson To: Olivier Matz , Keith Wiles Cc: dev@dpdk.org, Bruce Richardson , Hemant Agrawal , Shreyansh Jain Date: Mon, 17 Dec 2018 15:50:03 +0000 Message-Id: <20181217155005.13457-1-bruce.richardson@intel.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The functions for checksumming the packet payload don't perform bounds checks, and are used by the TAP driver which does not do any bounds checks on the incoming packet either. This means a packet received with an incorrect IP header can read beyond the end of the mbuf. In the worst case, where the length is specified as being smaller than the IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that approx 4GB of memory will be read. To fix this, we can introduce a sanity check into the ipv4 function to ensure that underflow does not occur. Since the checksum function does not take the mbuf length as a parameter, we cannot check for overflow there, so we instead perform the checks in the TAP driver directly. Ideally, in a future release, all checksum functions should be modified to take a max buffer length parameter to fix this issue globally. NOTE: It appears that the dpaa driver also uses these functions, but from what I can see there, they are only used on TX, which means that there should be less need for parameter length checking, as the data does not come from an untrusted source. Perhaps maintainers, Hemant and Shreyansh, can confirm? CC: Hemant Agrawal CC: Shreyansh Jain Bruce Richardson (2): net: fix underflow for checksum of invalid IPv4 packets net/tap: add buffer overflow checks before checksum drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++ lib/librte_net/rte_ip.h | 12 ++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-)