From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>,
stable@dpdk.org, Jie Hai <haijie1@huawei.com>
Subject: [PATCH] net: fix GTP Tunnel parse out-of-bounds read
Date: Thu, 9 Apr 2026 09:15:56 -0700 [thread overview]
Message-ID: <20260409161556.141251-1-stephen@networkplumber.org> (raw)
If packet is fragmented across multiple mbufs or the packet
has only GTP header the code would reference outside
the incoming mbuf.
Send GTP packet:
- Valid GTP header (8 bytes)
- msg_type = 0xff
- e=1, s=1, pn=1 (sets gtp_len = 12)
- Total packet size = 10 bytes
Read at gh + 12 accesses 2 bytes beyond packet end.
The fix is to use rte_pktmbuf_read in a manner similar
to the read of the GTP header.
Fixes: 64ed7f854cf4 ("net: add tunnel packet type parsing")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/net/rte_net.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/lib/net/rte_net.c b/lib/net/rte_net.c
index 458b4814a9..da4018437b 100644
--- a/lib/net/rte_net.c
+++ b/lib/net/rte_net.c
@@ -219,8 +219,7 @@ ptype_tunnel_with_udp(uint16_t *proto, const struct rte_mbuf *m,
case RTE_GTPU_UDP_PORT: {
const struct rte_gtp_hdr *gh;
struct rte_gtp_hdr gh_copy;
- uint8_t gtp_len;
- uint8_t ip_ver;
+ uint32_t gtp_len;
gh = rte_pktmbuf_read(m, *off, sizeof(*gh), &gh_copy);
if (unlikely(gh == NULL))
return 0;
@@ -231,9 +230,16 @@ ptype_tunnel_with_udp(uint16_t *proto, const struct rte_mbuf *m,
* Check message type. If message type is 0xff, it is
* a GTP data packet. If not, it is a GTP control packet
*/
+ *off += gtp_len;
if (gh->msg_type == 0xff) {
- ip_ver = *(const uint8_t *)((const char *)gh + gtp_len);
- ip_ver = (ip_ver) & 0xf0;
+ const uint8_t *l3_hdr;
+ uint8_t l3_copy, ip_ver;
+
+ l3_hdr = rte_pktmbuf_read(m, *off, sizeof(*l3_hdr), &l3_copy);
+ if (unlikely(l3_hdr == NULL))
+ return 0;
+
+ ip_ver = *l3_hdr & 0xf0;
if (ip_ver == RTE_GTP_TYPE_IPV4)
*proto = rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4);
else if (ip_ver == RTE_GTP_TYPE_IPV6)
@@ -243,7 +249,6 @@ ptype_tunnel_with_udp(uint16_t *proto, const struct rte_mbuf *m,
} else {
*proto = 0;
}
- *off += gtp_len;
hdr_lens->inner_l2_len = gtp_len + sizeof(struct rte_udp_hdr);
hdr_lens->tunnel_len = gtp_len;
if (port_no == RTE_GTPC_UDP_PORT)
--
2.53.0
reply other threads:[~2026-04-09 16:16 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409161556.141251-1-stephen@networkplumber.org \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=haijie1@huawei.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox