The checksum calculation APIs take only the packet headers pointers as
parameters, so they assume that the lengths reported in those headers are
correct. However, a malicious packet could claim to be far larger than it
is, so we need to check the header lengths in the driver before calling
the checksum API.
A better fix would be to allow the lengths to be passed into the API
function, but that would be an API break, so fixing in TAP driver for
now.
CC: sta...@dpdk.org
Fixes: 8ae3023387e9 ("net/tap: add Rx/Tx checksum offload support")
Signed-off-by: Bruce Richardson <bruce.richard...@intel.com>
---
drivers/net/tap/rte_eth_tap.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 49afd38dd..0ec030bef 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -281,13 +281,27 @@ tap_verify_csum(struct rte_mbuf *mbuf)
l3_len = 4 * (iph->version_ihl & 0xf);
if (unlikely(l2_len + l3_len > rte_pktmbuf_data_len(mbuf)))
return;
+ /* check that the total length reported by header is not
+ * greater than the total received size
+ */
+ if (l2_len + rte_be_to_cpu_16(iph->total_length) >
+ rte_pktmbuf_data_len(mbuf))
+ return;
cksum = ~rte_raw_cksum(iph, l3_len);
mbuf->ol_flags |= cksum ?
PKT_RX_IP_CKSUM_BAD :
PKT_RX_IP_CKSUM_GOOD;
} else if (l3 == RTE_PTYPE_L3_IPV6) {
+ struct ipv6_hdr *iph = l3_hdr;
+
l3_len = sizeof(struct ipv6_hdr);
+ /* check that the total length reported by header is not
+ * greater than the total received size
+ */
+ if (l2_len + l3_len + rte_be_to_cpu_16(iph->payload_len) >
+ rte_pktmbuf_data_len(mbuf))
+ return;
} else {
/* IPv6 extensions are not supported */
return;
--
2.19.2
