From patchwork Mon Dec 17 15:50:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bruce Richardson X-Patchwork-Id: 49013 X-Patchwork-Delegate: ferruh.yigit@amd.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C3A261B90E; Mon, 17 Dec 2018 16:50:41 +0100 (CET) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id B15111B6F7; Mon, 17 Dec 2018 16:50:37 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Dec 2018 07:50:33 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,365,1539673200"; d="scan'208";a="130652891" Received: from silpixa00399126.ir.intel.com (HELO silpixa00399126.ger.corp.intel.com) ([10.237.222.236]) by fmsmga001.fm.intel.com with ESMTP; 17 Dec 2018 07:50:31 -0800 From: Bruce Richardson To: Olivier Matz , Keith Wiles Cc: dev@dpdk.org, Bruce Richardson , stable@dpdk.org Date: Mon, 17 Dec 2018 15:50:05 +0000 Message-Id: <20181217155005.13457-3-bruce.richardson@intel.com> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181217155005.13457-1-bruce.richardson@intel.com> References: <20181217155005.13457-1-bruce.richardson@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The checksum calculation APIs take only the packet headers pointers as parameters, so they assume that the lengths reported in those headers are correct. However, a malicious packet could claim to be far larger than it is, so we need to check the header lengths in the driver before calling the checksum API. A better fix would be to allow the lengths to be passed into the API function, but that would be an API break, so fixing in TAP driver for now. CC: stable@dpdk.org Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support") Signed-off-by: Bruce Richardson Reviewed-by: Ferruh Yigit Acked-by: Keith Wiles --- drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index 49afd38dd..0ec030bef 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -281,13 +281,27 @@ tap_verify_csum(struct rte_mbuf *mbuf) l3_len = 4 * (iph->version_ihl & 0xf); if (unlikely(l2_len + l3_len > rte_pktmbuf_data_len(mbuf))) return; + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + rte_be_to_cpu_16(iph->total_length) > + rte_pktmbuf_data_len(mbuf)) + return; cksum = ~rte_raw_cksum(iph, l3_len); mbuf->ol_flags |= cksum ? PKT_RX_IP_CKSUM_BAD : PKT_RX_IP_CKSUM_GOOD; } else if (l3 == RTE_PTYPE_L3_IPV6) { + struct ipv6_hdr *iph = l3_hdr; + l3_len = sizeof(struct ipv6_hdr); + /* check that the total length reported by header is not + * greater than the total received size + */ + if (l2_len + l3_len + rte_be_to_cpu_16(iph->payload_len) > + rte_pktmbuf_data_len(mbuf)) + return; } else { /* IPv6 extensions are not supported */ return;