From: Stephen Hemminger <stephen@networkplumber.org>
To: "Hu, Jiayu" <jiayu.hu@intel.com>
Cc: "Richardson, Bruce" <bruce.richardson@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>, "Bie, Tiwei" <tiwei.bie@intel.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [PATCH] gro: fix overflow of TCP Options length calculation
Date: Mon, 7 Jan 2019 22:19:18 -0800 [thread overview]
Message-ID: <20190107221918.1db62f1b@hermes.lan> (raw)
In-Reply-To: <ED946F0BEFE0A141B63BABBD629A2A9B3CF3E117@shsmsx102.ccr.corp.intel.com>
On Tue, 8 Jan 2019 01:22:18 +0000
"Hu, Jiayu" <jiayu.hu@intel.com> wrote:
> > -----Original Message-----
> > From: Richardson, Bruce
> > Sent: Monday, January 7, 2019 10:30 PM
> > To: Hu, Jiayu <jiayu.hu@intel.com>
> > Cc: dev@dpdk.org; Bie, Tiwei <tiwei.bie@intel.com>; stable@dpdk.org
> > Subject: Re: [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length
> > calculation
> >
> > On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote:
> > > If we receive a packet with an invalid TCP header, whose
> > > TCP header length is less than 20 bytes (the minimal TCP
> > > header length), the calculated TCP Options length will
> > > overflow and result in incorrect reassembly behaviors.
> >
> > Please explain how changing the "len" type fixes this behaviour.
>
> Originally, 'uint16_t len = RTE_MAX(tcp_hl, tcp_hl_orig) - sizeof(struct tcp_hdr)'.
> When the TCP header length of an input packet is less than 20, which is the value of
> sizeof(struct tcp_hdr), the value of len will overflow. For example, if TCP header lengths
> of input packets are 14, the value of 'len' will be 65529 (65535-6). After then, we will
> compare TCP options via memcmp(tcp_hdr+1,..., len), which would cause segment fault.
For future safety, GRO should check header lengths for IP and TCP before looking
at packet. It is basic structure hygiene
next prev parent reply other threads:[~2019-01-08 6:19 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 1:57 [PATCH] gro: fix overflow of TCP Options length calculation Jiayu Hu
2019-01-07 14:29 ` Bruce Richardson
2019-01-08 1:22 ` Hu, Jiayu
2019-01-08 6:19 ` Stephen Hemminger [this message]
2019-01-08 6:08 ` [PATCH] gro: add missing invalid packet checks Jiayu Hu
2019-01-08 6:31 ` Stephen Hemminger
2019-01-08 8:14 ` Hu, Jiayu
2019-01-08 10:39 ` Ananyev, Konstantin
2019-01-08 11:33 ` Morten Brørup
2019-01-08 13:40 ` Hu, Jiayu
2019-01-08 13:43 ` Ananyev, Konstantin
2019-01-08 14:50 ` Morten Brørup
2019-01-09 3:32 ` Hu, Jiayu
2019-01-10 15:06 ` [PATCH v2] " Jiayu Hu
2019-01-14 22:26 ` [dpdk-stable] " Thomas Monjalon
2019-01-15 1:00 ` Stephen Hemminger
2019-01-15 2:48 ` Hu, Jiayu
2019-01-15 5:05 ` Wang, Yinan
2019-01-15 10:11 ` Ananyev, Konstantin
2019-01-15 12:18 ` Hu, Jiayu
2019-01-15 13:38 ` Hu, Jiayu
2019-01-16 0:45 ` [PATCH v3] gro: add missing invalid TCP header length check Jiayu Hu
2019-01-16 9:49 ` Ananyev, Konstantin
2019-01-17 21:41 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190107221918.1db62f1b@hermes.lan \
--to=stephen@networkplumber.org \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=jiayu.hu@intel.com \
--cc=stable@dpdk.org \
--cc=tiwei.bie@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.