From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from forward102c.mail.yandex.net (forward102c.mail.yandex.net [178.154.239.213])
	by passt.top (Postfix) with ESMTPS id BACC45A026D
	for <passt-dev@passt.top>; Tue, 29 Aug 2023 18:44:26 +0200 (CEST)
Received: from mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:2e14:0:640:2cd1:0])
	by forward102c.mail.yandex.net (Yandex) with ESMTP id F005D6002D;
	Tue, 29 Aug 2023 19:44:25 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id LiTaDWEDgKo0-2fKTxd35;
	Tue, 29 Aug 2023 19:44:25 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1693327465;
	bh=GOQksTzi0KBp24QQCu77pt+t5c1y3PbolCq9nfmi2DA=;
	h=Message-Id:Date:Cc:Subject:To:From;
	b=tN9f/eZAHGS37AfmVrdSIruQF4QDZwzzGNR68VCGehi5o3IQLGJcDv75sGq2dHRM5
	 7dW18a2U9iDgN9lXFAzGyqyrZUblUHevOxeYAcUAvpYETrRrNIeKfe4Wl+i9YhJMbG
	 4W45QXo0lHc0lnDNbCUDRcIEKepEknSgw0fSo5ro=
Authentication-Results: mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru
From: Stas Sergeev <stsp2@yandex.ru>
To: passt-dev@passt.top
Subject: [PATCH] tap: fix uses of l3_len in tap4_handler()
Date: Tue, 29 Aug 2023 21:44:06 +0500
Message-Id: <20230829164406.594036-1-stsp2@yandex.ru>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MailFrom: stsp2@yandex.ru
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: B3MJ6WP6ICCKMEHJ2B77KSKUZUBHWWKR
X-Message-ID-Hash: B3MJ6WP6ICCKMEHJ2B77KSKUZUBHWWKR
X-Mailman-Approved-At: Tue, 29 Aug 2023 18:57:19 +0200
CC: Stas Sergeev <stsp2@yandex.ru>, Stefano Brivio <sbrivio@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230829164406.594036-1-stsp2@yandex.ru/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/B3MJ6WP6ICCKMEHJ2B77KSKUZUBHWWKR/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

l3_len was calculated from the ethernet frame size, and it
was assumed to be equal to the length stored in an IP packet.
But if the ethernet frame is padded, then l3_len calculated
that way can only be used as a bound check to validate the
length stored in an IP header. It should not be used for
calculating the l4_len.

This patch makes sure the small padded ethernet frames are
properly processed, by trusting the length stored in an IP
header.

Signed-off-by: Stas Sergeev <stsp2@yandex.ru>

CC: Stefano Brivio <sbrivio@redhat.com>
---
 tap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tap.c b/tap.c
index ee79be0..8d7859c 100644
--- a/tap.c
+++ b/tap.c
@@ -615,7 +615,7 @@ resume:
 			continue;
 
 		hlen = iph->ihl * 4UL;
-		if (hlen < sizeof(*iph) || htons(iph->tot_len) != l3_len ||
+		if (hlen < sizeof(*iph) || htons(iph->tot_len) > l3_len ||
 		    hlen > l3_len)
 			continue;
 
@@ -623,7 +623,7 @@ resume:
 		if (tap4_is_fragment(iph, now))
 			continue;
 
-		l4_len = l3_len - hlen;
+		l4_len = htons(iph->tot_len) - hlen;
 
 		if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
 			c->ip4.addr_seen.s_addr = iph->saddr;
-- 
2.40.1