From: Konstantin Ananyev Date: Mon, 5 Nov 2018 12:18:57 +0000 (+0000) Subject: ip_frag: check fragment length of incoming packet X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=7f0983ee331c;p=dpdk.git ip_frag: check fragment length of incoming packet Under some conditions ill-formed fragments might cause reassembly code to corrupt mbufs and/or crash. Let say the following fragments sequence: can trigger the problem. To overcome such situation, added check that fragment length of incoming value is greater than zero. Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library") Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly") Cc: stable@dpdk.org Reported-by: Ryan E Hall Reported-by: Alexander V Gutkin Signed-off-by: Konstantin Ananyev --- diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c index 4956b99eab..1029b7abc8 100644 --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c @@ -36,8 +36,11 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) /* previous fragment found. */ if(fp->frags[i].ofs + fp->frags[i].len == ofs) { + RTE_ASSERT(curr_idx != i); + /* adjust start of the last fragment data. */ - rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); + rte_pktmbuf_adj(m, + (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[i].mb, m); /* this mbuf should not be accessed directly */ @@ -96,14 +99,14 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) */ struct rte_mbuf * rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, - struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms, - struct ipv4_hdr *ip_hdr) + struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms, + struct ipv4_hdr *ip_hdr) { struct ip_frag_pkt *fp; struct ip_frag_key key; const unaligned_uint64_t *psd; - uint16_t ip_len; uint16_t flag_offset, ip_ofs, ip_flag; + int32_t ip_len; flag_offset = rte_be_to_cpu_16(ip_hdr->fragment_offset); ip_ofs = (uint16_t)(flag_offset & IPV4_HDR_OFFSET_MASK); @@ -116,12 +119,11 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, key.key_len = IPV4_KEYLEN; ip_ofs *= IPV4_HDR_OFFSET_UNITS; - ip_len = (uint16_t)(rte_be_to_cpu_16(ip_hdr->total_length) - - mb->l3_len); + ip_len = rte_be_to_cpu_16(ip_hdr->total_length) - mb->l3_len; IP_FRAG_LOG(DEBUG, "%s:%d:\n" "mbuf: %p, tms: %" PRIu64 - ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %u, flags: %#x\n" + ", key: <%" PRIx64 ", %#x>, ofs: %u, len: %d, flags: %#x\n" "tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, " "max_entries: %u, use_entries: %u\n\n", __func__, __LINE__, @@ -129,6 +131,12 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries, tbl->use_entries); + /* check that fragment length is greater then zero. */ + if (ip_len <= 0) { + IP_FRAG_MBUF2DR(dr, mb); + return NULL; + } + /* try to find/add entry into the fragment's table. */ if ((fp = ip_frag_find(tbl, dr, &key, tms)) == NULL) { IP_FRAG_MBUF2DR(dr, mb); diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c index db249fe600..855e3f7402 100644 --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c @@ -59,8 +59,11 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) /* previous fragment found. */ if (fp->frags[i].ofs + fp->frags[i].len == ofs) { + RTE_ASSERT(curr_idx != i); + /* adjust start of the last fragment data. */ - rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); + rte_pktmbuf_adj(m, + (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[i].mb, m); /* this mbuf should not be accessed directly */ @@ -135,12 +138,13 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) #define FRAG_OFFSET(x) (rte_cpu_to_be_16(x) >> 3) struct rte_mbuf * rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, - struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms, - struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr) + struct rte_ip_frag_death_row *dr, struct rte_mbuf *mb, uint64_t tms, + struct ipv6_hdr *ip_hdr, struct ipv6_extension_fragment *frag_hdr) { struct ip_frag_pkt *fp; struct ip_frag_key key; - uint16_t ip_len, ip_ofs; + uint16_t ip_ofs; + int32_t ip_len; rte_memcpy(&key.src_dst[0], ip_hdr->src_addr, 16); rte_memcpy(&key.src_dst[2], ip_hdr->dst_addr, 16); @@ -151,15 +155,17 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, ip_ofs = FRAG_OFFSET(frag_hdr->frag_data) * 8; /* - * as per RFC2460, payload length contains all extension headers as well. - * since we don't support anything but frag headers, this is what we remove - * from the payload len. + * as per RFC2460, payload length contains all extension headers + * as well. + * since we don't support anything but frag headers, + * this is what we remove from the payload len. */ ip_len = rte_be_to_cpu_16(ip_hdr->payload_len) - sizeof(*frag_hdr); IP_FRAG_LOG(DEBUG, "%s:%d:\n" "mbuf: %p, tms: %" PRIu64 - ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, ofs: %u, len: %u, flags: %#x\n" + ", key: <" IPv6_KEY_BYTES_FMT ", %#x>, " + "ofs: %u, len: %d, flags: %#x\n" "tbl: %p, max_cycles: %" PRIu64 ", entry_mask: %#x, " "max_entries: %u, use_entries: %u\n\n", __func__, __LINE__, @@ -168,6 +174,12 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl, tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries, tbl->use_entries); + /* check that fragment length is greater then zero. */ + if (ip_len <= 0) { + IP_FRAG_MBUF2DR(dr, mb); + return NULL; + } + /* try to find/add entry into the fragment's table. */ fp = ip_frag_find(tbl, dr, &key, tms); if (fp == NULL) {