From patchwork Wed Apr 17 14:36:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 52874 X-Patchwork-Delegate: ferruh.yigit@amd.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id EF1011B6E2; Wed, 17 Apr 2019 16:42:49 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 9CD361B642; Wed, 17 Apr 2019 16:42:48 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Apr 2019 07:42:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,362,1549958400"; d="scan'208";a="316748814" Received: from silpixa00383879.ir.intel.com (HELO silpixa00383879.ger.corp.intel.com) ([10.237.222.142]) by orsmga005.jf.intel.com with ESMTP; 17 Apr 2019 07:42:45 -0700 From: Radu Nicolau To: dev@dpdk.org Cc: declan.doherty@intel.com, chas3@att.com, ferruh.yigit@intel.com, Radu Nicolau , stable@dpdk.org Date: Wed, 17 Apr 2019 15:36:47 +0100 Message-Id: <1555511807-18405-1-git-send-email-radu.nicolau@intel.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> References: <1555320458-9432-1-git-send-email-radu.nicolau@intel.com> Subject: [dpdk-dev] [PATCH v3] net/bonding: fix potential out of bounds read X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add validation to pointer constructed from the IPv4 header length in order to prevent malformed packets from generating a potential out of bounds memory read. Fixes: 09150784a776 ("net/bonding: burst mode hash calculation") Cc: stable@dpdk.org Signed-off-by: Radu Nicolau Acked-by: Chas Williams --- v2: add fixes lines v3: fix buffer end calculation drivers/net/bonding/rte_eth_bond_pmd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index b0d191d..2b7f2b3 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -842,6 +842,7 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, for (i = 0; i < nb_pkts; i++) { eth_hdr = rte_pktmbuf_mtod(buf[i], struct ether_hdr *); + size_t pkt_end = (size_t)eth_hdr + rte_pktmbuf_data_len(buf[i]); proto = eth_hdr->ether_type; vlan_offset = get_vlan_offset(eth_hdr, &proto); l3hash = 0; @@ -865,13 +866,17 @@ burst_xmit_l34_hash(struct rte_mbuf **buf, uint16_t nb_pkts, tcp_hdr = (struct tcp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(tcp_hdr); + if ((size_t)tcp_hdr + sizeof(*tcp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(tcp_hdr); } else if (ipv4_hdr->next_proto_id == IPPROTO_UDP) { udp_hdr = (struct udp_hdr *) ((char *)ipv4_hdr + ip_hdr_offset); - l4hash = HASH_L4_PORTS(udp_hdr); + if ((size_t)udp_hdr + sizeof(*udp_hdr) + < pkt_end) + l4hash = HASH_L4_PORTS(udp_hdr); } } } else if (rte_cpu_to_be_16(ETHER_TYPE_IPv6) == proto) {