From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202412 header.b=GXE+SrVl;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 78A095A0628
	for <passt-dev@passt.top>; Fri, 20 Dec 2024 09:58:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202412; t=1734685098;
	bh=LoM3iEyFo9RphmXgFrjiwkadr5xuNFrTHOZfk9yb244=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=GXE+SrVltlL1gqCghYPna9qkBxjB1KnAKl+t8qRBspvhvS+bM6lOJVgalR859OiPy
	 Mv9X6f8x+G0Eg3I9QMuNnIp5Vz9eToZXno7rwc5WhVNC+rvw1/0zfvcSlIKCxfmTKh
	 yICuotMyH5WNwqMvnzr6T8gGyVbp3c9AMgLqGFXqR1kS3iTiC/V+MSXDBF1910HHtX
	 chbKL71tdxeLRaPd7fRGOnK4vR7qWS0nJcBmrSlp4/pdCV1heh0yPAB0SjuKmOsakE
	 v0HV938aqMr1mzoiZ1a2+1FfXK8d9vH0Tmw28BL2u9lNZvorkUK4MBX3JbQh1MqnPs
	 MAQ3/pRF55M6Q==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4YF1Xp1F58z4xcm; Fri, 20 Dec 2024 19:58:18 +1100 (AEDT)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH v2 06/12] packet: Don't hard code maximum packet size to UINT16_MAX
Date: Fri, 20 Dec 2024 19:35:29 +1100
Message-ID: <20241220083535.1372523-7-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.47.1
In-Reply-To: <20241220083535.1372523-1-david@gibson.dropbear.id.au>
References: <20241220083535.1372523-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 4VWVJDN6VMYI7KH4IAL4CPVVUSKVLTQY
X-Message-ID-Hash: 4VWVJDN6VMYI7KH4IAL4CPVVUSKVLTQY
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20241220083535.1372523-7-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/4VWVJDN6VMYI7KH4IAL4CPVVUSKVLTQY/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

We verify that every packet we store in a pool - and every partial packet
we retreive from it has a length no longer than UINT16_MAX.  This
originated in the older packet pool implementation which stored packet
lengths in a uint16_t.  Now, that packets are represented by a struct
iovec with its size_t length, this check serves only as a sanity / security
check that we don't have some wildly out of range length due to a bug
elsewhere.

However, UINT16_MAX (65535) isn't quite enough, because the "packet" as
stored in the pool is in fact an entire frame including both L2 and any
backend specific headers.  We can exceed this in passt mode, even with the
default MTU: 65520 bytes of IP datagram + 14 bytes of Ethernet header +
4 bytes of qemu stream length header = 65538 bytes.

Introduce our own define for the maximum length of a packet in the pool and
set it slightly larger, allowing 128 bytes for L2 and/or other backend
specific headers.  We'll use different amounts of that depending on the
tap backend, but since this is just a sanity check, the bound doesn't need
to be 100% tight.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 packet.c | 4 ++--
 packet.h | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/packet.c b/packet.c
index 0330b548..bcac0375 100644
--- a/packet.c
+++ b/packet.c
@@ -83,7 +83,7 @@ void packet_add_do(struct pool *p, size_t len, const char *start,
 	if (packet_check_range(p, start, len, func, line))
 		return;
 
-	if (len > UINT16_MAX) {
+	if (len > PACKET_MAX_LEN) {
 		trace("add packet length %zu, %s:%i", len, func, line);
 		return;
 	}
@@ -119,7 +119,7 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset,
 		return NULL;
 	}
 
-	if (len > UINT16_MAX) {
+	if (len > PACKET_MAX_LEN) {
 		if (func) {
 			trace("packet data length %zu, %s:%i",
 			      len, func, line);
diff --git a/packet.h b/packet.h
index bdc07fef..05d37695 100644
--- a/packet.h
+++ b/packet.h
@@ -6,6 +6,13 @@
 #ifndef PACKET_H
 #define PACKET_H
 
+/* Maximum size of a single packet in a pool, including all headers.  Sized to
+ * allow a maximum size IP datagram (65535) plus some extra space or L2 and
+ * backend specific headers.  This is just for sanity checking, so doesn't need
+ * to be a tight limit.
+ */
+#define PACKET_MAX_LEN	ROUND_UP(IP_MAX_MTU + 128, sizeof(unsigned long))
+
 /**
  * struct pool - Generic pool of packets stored in a buffer
  * @buf:	Buffer storing packet descriptors,
-- 
2.47.1