ip_frag: check fragment length of incoming packet
authorKonstantin Ananyev <konstantin.ananyev@intel.com>
Mon, 5 Nov 2018 12:18:57 +0000 (12:18 +0000)
committerThomas Monjalon <thomas@monjalon.net>
Tue, 6 Nov 2018 00:58:03 +0000 (01:58 +0100)
commit7f0983ee331c9f08dabdb5b7f555ddf399003dcf
treefa64a03a06f3230d3660549531e43deb05cf26ce
parent7b178300accc661b7bbd47da93380106378dba1c
ip_frag: check fragment length of incoming packet

Under some conditions ill-formed fragments might cause
reassembly code to corrupt mbufs and/or crash.
Let say the following fragments sequence:
<ofs=0,len=100, flags=MF>
<ofs=96,len=100, flags=MF>
<ofs=200,len=0,flags=MF>
<ofs=200,len=100,flags=0>
can trigger the problem.
To overcome such situation, added check that fragment length
of incoming value is greater than zero.

Fixes: 601e279df074 ("ip_frag: move fragmentation/reassembly headers into a library")
Fixes: 4f1a8f633862 ("ip_frag: add IPv6 reassembly")
Cc: stable@dpdk.org
Reported-by: Ryan E Hall <ryan.e.hall@intel.com>
Reported-by: Alexander V Gutkin <alexander.v.gutkin@intel.com>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
lib/librte_ip_frag/rte_ipv4_reassembly.c
lib/librte_ip_frag/rte_ipv6_reassembly.c