On Tue, 8 Jan 2019 01:22:18 +0000 "Hu, Jiayu" <jiayu...@intel.com> wrote:
> > -----Original Message----- > > From: Richardson, Bruce > > Sent: Monday, January 7, 2019 10:30 PM > > To: Hu, Jiayu <jiayu...@intel.com> > > Cc: dev@dpdk.org; Bie, Tiwei <tiwei....@intel.com>; sta...@dpdk.org > > Subject: Re: [dpdk-dev] [PATCH] gro: fix overflow of TCP Options length > > calculation > > > > On Fri, Jan 04, 2019 at 09:57:16AM +0800, Jiayu Hu wrote: > > > If we receive a packet with an invalid TCP header, whose > > > TCP header length is less than 20 bytes (the minimal TCP > > > header length), the calculated TCP Options length will > > > overflow and result in incorrect reassembly behaviors. > > > > Please explain how changing the "len" type fixes this behaviour. > > Originally, 'uint16_t len = RTE_MAX(tcp_hl, tcp_hl_orig) - sizeof(struct > tcp_hdr)'. > When the TCP header length of an input packet is less than 20, which is the > value of > sizeof(struct tcp_hdr), the value of len will overflow. For example, if TCP > header lengths > of input packets are 14, the value of 'len' will be 65529 (65535-6). After > then, we will > compare TCP options via memcmp(tcp_hdr+1,..., len), which would cause segment > fault. For future safety, GRO should check header lengths for IP and TCP before looking at packet. It is basic structure hygiene
