[dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum

[Ferruh Yigit]

On 12/17/2018 3:50 PM, Bruce Richardson wrote:
> The functions for checksumming the packet payload don't perform bounds
> checks, and are used by the TAP driver which does not do any bounds checks
> on the incoming packet either. This means a packet received with an
> incorrect IP header can read beyond the end of the mbuf.
> 
> In the worst case, where the length is specified as being smaller than the
> IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that approx
> 4GB of memory will be read.
> 
> To fix this, we can introduce a sanity check into the ipv4 function to
> ensure that underflow does not occur. Since the checksum function does not
> take the mbuf length as a parameter, we cannot check for overflow there,
> so we instead perform the checks in the TAP driver directly.
> 
> Ideally, in a future release, all checksum functions should be modified to
> take a max buffer length parameter to fix this issue globally.
> 
> NOTE: It appears that the dpaa driver also uses these functions, but from
> what I can see there, they are only used on TX, which means that there
> should be less need for parameter length checking, as the data does not
> come from an untrusted source. Perhaps maintainers, Hemant and Shreyansh,
> can confirm?
> 
> CC: Hemant Agrawal <hemant.agrawal at nxp.com>
> CC: Shreyansh Jain <shreyansh.jain at nxp.com>
> 
> Bruce Richardson (2):
>   net: fix underflow for checksum of invalid IPv4 packets
>   net/tap: add buffer overflow checks before checksum

Series applied to dpdk-next-net/master, thanks.