From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Christian Deacon <gamemann@gflclan.com>, xdp-newbies@vger.kernel.org
Subject: Re: XDP Software Issue - Payload Matching
Date: Tue, 12 May 2020 16:28:37 +0200 [thread overview]
Message-ID: <87ftc5ut0q.fsf@toke.dk> (raw)
In-Reply-To: <bbf21c58-09b3-b80f-11ab-548b229b9bdb@gflclan.com>
Christian Deacon <gamemann@gflclan.com> writes:
> Hey Toke,
>
> Thank you for your response and the information!
>
> I actually found out last night about this as well, but when setting the
> max payload match length to 1500 bytes (instead of 65535), I receive a
> new error:
>
> ```
> invalid read from stack off -488+0 size 8
> processed 46277 insns (limit 1000000) max_states_per_insn 4 total_states
> 617 peak_states 617 mark_read 599
> ```
Hmm, this sounds like the verifier can't prove that your stack variable
(presumably the 'byte' pointer) is actually safe to read from the stack.
Not sure why - maybe because the variable is declared in the inner loop
and the verifier loses track? IDK, really...
> Here's the new code:
>
> ```
> if (filter[i]->payloadLen > 0)
> {
> uint8_t found = 1;
>
> // MAX_PAYLOAD_LENGTH = 1500
> for (uint16_t j = 0; j < MAX_PAYLOAD_LENGTH; j++)
> {
> if ((j + 1) > filter[i]->payloadLen)
> {
> break;
> }
>
> uint8_t *byte = data + sizeof(struct ethhdr) + (iph->ihl * 4) +
> l4headerLen + j;
>
> if (byte + 1 > (uint8_t *)data_end)
> {
> break;
> }
>
> if (*byte == filter[i]->payloadMatch[j])
> {
> continue;
> }
>
> found = 0;
>
> break;
> }
>
> if (!found)
> {
> continue;
> }
> }
> ```
>
> This error occurs when initializing the `byte` pointer (if I comment out
> any lines with the `byte` pointer, the XDP program runs without
> crashing). Though, to my understanding, I am doing things correctly here
> along with ensuring the `byte` pointer is within the packet's range.
Well, "doing something safely" and "convincing the verifier that what
you're doing is safe" is not always the same thing ;)
> I am also going to look into implementing your second suggestion! I've
> been trying to think of ways to improve performance with the software
> and initially, I planned to only have filtering rules activated after a
> certain global PPS/BPS threshold is met (specified in the config file).
> However, it sounds like your suggestion would be more efficient.
>
> Thank you for all your help!
You're welcome! :)
-Toke
next prev parent reply other threads:[~2020-05-12 14:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-08 13:57 XDP Software Issue - Payload Matching Christian Deacon
2020-05-11 10:41 ` Toke Høiland-Jørgensen
2020-05-11 18:40 ` Christian Deacon
2020-05-12 14:28 ` Toke Høiland-Jørgensen [this message]
2020-05-13 13:25 ` Christian Deacon
2020-05-13 14:42 ` Toke Høiland-Jørgensen
2020-05-22 14:49 ` Christian Deacon
2020-05-22 15:12 ` Toke Høiland-Jørgensen
2020-07-14 15:58 ` Christian Deacon
2020-07-14 20:48 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ftc5ut0q.fsf@toke.dk \
--to=toke@redhat.com \
--cc=gamemann@gflclan.com \
--cc=xdp-newbies@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.