[PATCH v4 04/10] net/tap: skip checksum on truncated L4 headers

Stephen Hemminger stephen at networkplumber.org
Fri Feb 20 18:02:04 CET 2026

Previous message (by thread): [PATCH v4 03/10] net/tap: extend fixed MAC range to 16 bits
Next message (by thread): [PATCH v4 05/10] net/tap: fix resource leaks in tap create error path
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Add a bounds check before accessing the UDP or TCP header in
tap_verify_csum(). A single-segment packet whose L4 header extends
past rte_pktmbuf_data_len() would cause an out-of-bounds read.

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/tap/rte_eth_tap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 8b6d5db37e..45ca32cfb8 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -365,8 +365,15 @@ tap_verify_csum(struct rte_mbuf *mbuf)
 		 */
 		return;
 	}
+
 	if (l4 == RTE_PTYPE_L4_UDP || l4 == RTE_PTYPE_L4_TCP) {
 		int cksum_ok;
+		const unsigned int l4_min_len = (l4 == RTE_PTYPE_L4_UDP)
+			? sizeof(struct rte_udp_hdr) : sizeof(struct rte_tcp_hdr);
+
+		/* Don't verify checksum if L4 header is truncated */
+		if (l2_len + l3_len + l4_min_len > rte_pktmbuf_data_len(mbuf))
+			return;
 
 		l4_hdr = rte_pktmbuf_mtod_offset(mbuf, void *, l2_len + l3_len);
 		/* Don't verify checksum for multi-segment packets. */
-- 
2.51.0

Previous message (by thread): [PATCH v4 03/10] net/tap: extend fixed MAC range to 16 bits
Next message (by thread): [PATCH v4 05/10] net/tap: fix resource leaks in tap create error path
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list