[PATCH] app/testpmd: fix VLAN header parsing

[Stephen Hemminger]

On Sun, 23 Mar 2025 14:28:22 +0200
Raslan Darawsheh <rasland at nvidia.com> wrote:

> Signed-off-by: Raslan Darawsheh <rasland at nvidia.com>
> ---
>  app/test-pmd/csumonly.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/app/test-pmd/csumonly.c b/app/test-pmd/csumonly.c
> index 5b906eaa53..302cc4cc66 100644
> --- a/app/test-pmd/csumonly.c
> +++ b/app/test-pmd/csumonly.c
> @@ -468,6 +468,7 @@ get_ethertype_by_ptype(struct rte_ether_hdr *eth_hdr, uint32_t ptype)
>  {
>  	struct rte_vlan_hdr *vlan_hdr;
>  	uint16_t ethertype;
> +	uint32_t i = 0;
>  
>  	switch (ptype) {
>  	case RTE_PTYPE_L3_IPV4:
> @@ -486,10 +487,11 @@ get_ethertype_by_ptype(struct rte_ether_hdr *eth_hdr, uint32_t ptype)
>  		return _htons(RTE_ETHER_TYPE_IPV6);
>  	default:
>  		ethertype = eth_hdr->ether_type;
> -		while (eth_hdr->ether_type == _htons(RTE_ETHER_TYPE_VLAN) ||
> -			eth_hdr->ether_type == _htons(RTE_ETHER_TYPE_QINQ)) {
> +		while (ethertype == _htons(RTE_ETHER_TYPE_VLAN) ||
> +			ethertype == _htons(RTE_ETHER_TYPE_QINQ)) {
>  			vlan_hdr = (struct rte_vlan_hdr *)
> -				((char *)eth_hdr + sizeof(*eth_hdr));
> +				((char *)eth_hdr + sizeof(*eth_hdr) +
> +				(i * sizeof(struct rte_vlan_hdr)));
>  			ethertype = vlan_hdr->eth_proto;
>  		}
>  		return ethertype;

A loop like this is prone to getting attacked with a malicious packet.
You should cut it off after a few vlan headers.
Also. what if packet is truncated, shouldn't be reading past end of data.
And what if packet is fragmented, you need to use rte_pktmbuf_read()