From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [PATCH] gro: fix overflow of TCP Options length
 calculation
Date: Mon, 7 Jan 2019 22:19:18 -0800
Message-ID: <20190107221918.1db62f1b@hermes.lan>
References: <1546567036-29444-1-git-send-email-jiayu.hu@intel.com>
 <20190107142955.GC14912@bricha3-MOBL.ger.corp.intel.com>
 <ED946F0BEFE0A141B63BABBD629A2A9B3CF3E117@shsmsx102.ccr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: "Richardson, Bruce" <bruce.richardson@intel.com>, "dev@dpdk.org"
 <dev@dpdk.org>, "Bie, Tiwei" <tiwei.bie@intel.com>, "stable@dpdk.org"
 <stable@dpdk.org>
To: "Hu, Jiayu" <jiayu.hu@intel.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com
 [209.85.215.194]) by dpdk.org (Postfix) with ESMTP id BEA061B3B4
 for <dev@dpdk.org>; Tue,  8 Jan 2019 07:19:26 +0100 (CET)
Received: by mail-pg1-f194.google.com with SMTP id y4so1239119pgc.12
 for <dev@dpdk.org>; Mon, 07 Jan 2019 22:19:26 -0800 (PST)
In-Reply-To: <ED946F0BEFE0A141B63BABBD629A2A9B3CF3E117@shsmsx102.ccr.corp.intel.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Tue, 8 Jan 2019 01:22:18 +0000
"Hu, Jiayu" <jiayu.hu@intel.com> wrote:

> > -----Original Message-----
> > From: Richardson, Bruce
> > Sent: Monday, January 7, 2019 10:30 PM
> > To: Hu, Jiayu <jiayu.hu@intel.com>
> > Cc: dev@dpdk.org; Bie, Tiwei <tiwei.bie@intel.com>; stable@dpdk.org
> > Subject: Re: [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length
> > calculation
> > 
> > On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote:  
> > > If we receive a packet with an invalid TCP header, whose
> > > TCP header length is less than 20 bytes (the minimal TCP
> > > header length), the calculated TCP Options length will
> > > overflow and result in incorrect reassembly behaviors.  
> > 
> > Please explain how changing the "len" type fixes this behaviour.  
> 
> Originally, 'uint16_t len = RTE_MAX(tcp_hl, tcp_hl_orig) - sizeof(struct tcp_hdr)'.
> When the TCP header length of an input packet is less than 20, which is the value of
> sizeof(struct tcp_hdr), the value of len will overflow. For example, if TCP header lengths
> of input packets are 14, the value of 'len' will be 65529 (65535-6). After then, we will
> compare TCP options via memcmp(tcp_hdr+1,..., len), which would cause segment fault.

For future safety, GRO should check header lengths for IP and TCP before looking
at packet. It is basic structure hygiene