From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bruce Richardson Subject: Re: [PATCH] gro: fix overflow of TCP Options length calculation Date: Mon, 7 Jan 2019 14:29:55 +0000 Message-ID: <20190107142955.GC14912@bricha3-MOBL.ger.corp.intel.com> References: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: dev@dpdk.org, tiwei.bie@intel.com, stable@dpdk.org To: Jiayu Hu Return-path: Content-Disposition: inline In-Reply-To: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com> List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote: > If we receive a packet with an invalid TCP header, whose > TCP header length is less than 20 bytes (the minimal TCP > header length), the calculated TCP Options length will > overflow and result in incorrect reassembly behaviors. Please explain how changing the "len" type fixes this behaviour. > > Fixes: 0d2cbe59b719 ("lib/gro: support TCP/IPv4") > Fixes: 9e0b9d2ec0f4 ("gro: support VxLAN GRO") > Cc: stable@dpdk.org > > Signed-off-by: Jiayu Hu > --- > lib/librte_gro/gro_tcp4.h | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/librte_gro/gro_tcp4.h b/lib/librte_gro/gro_tcp4.h > index 6bb30cd..189cea3 100644 > --- a/lib/librte_gro/gro_tcp4.h > +++ b/lib/librte_gro/gro_tcp4.h > @@ -266,7 +266,8 @@ check_seq_option(struct gro_tcp4_item *item, > struct rte_mbuf *pkt_orig = item->firstseg; > struct ipv4_hdr *iph_orig; > struct tcp_hdr *tcph_orig; > - uint16_t len, tcp_hl_orig; > + uint16_t tcp_hl_orig; > + int32_t len; > > iph_orig = (struct ipv4_hdr *)(rte_pktmbuf_mtod(pkt_orig, char *) + > l2_offset + pkt_orig->l2_len); > -- > 2.7.4 >