From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 946165A026D
	for <passt-dev@passt.top>; Wed, 30 Aug 2023 03:23:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1693358577;
	bh=/yseWcaZ84kJ9CN9HF3ne9VPJ5T1SW5VMrbPOM/1OH4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=ZI9gNm112dOSUd2ZSFtNC2wdJbqfOhBw6CXqhvyW2Yu/P3OYBkkYhvbmSbqtYeH2/
	 BZ0EuBlLjbaqtISERNrEgNf6YDVgJutgoXXi+yCTCZm5+t97gfNZerW0AY1XOJYJXk
	 R9xXZ9Lw9ME0wMuSsowV0pX6zefBAhkpTOgnlb40=
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4Rb6414NRVz4wxn; Wed, 30 Aug 2023 11:22:57 +1000 (AEST)
Date: Wed, 30 Aug 2023 11:22:15 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stas Sergeev <stsp2@yandex.ru>
Subject: Re: [PATCH] tap: fix uses of l3_len in tap4_handler()
Message-ID: <ZO6Zx1FPYce2QAg0@zatzit>
References: <20230829164406.594036-1-stsp2@yandex.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="xF0gSKwkRGts8PA+"
Content-Disposition: inline
In-Reply-To: <20230829164406.594036-1-stsp2@yandex.ru>
Message-ID-Hash: J6BYN74TSSIC5VR5AEY6ZOFZWWIOFER4
X-Message-ID-Hash: J6BYN74TSSIC5VR5AEY6ZOFZWWIOFER4
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZO6Zx1FPYce2QAg0@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/J6BYN74TSSIC5VR5AEY6ZOFZWWIOFER4/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--xF0gSKwkRGts8PA+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 29, 2023 at 09:44:06PM +0500, Stas Sergeev wrote:
> l3_len was calculated from the ethernet frame size, and it
> was assumed to be equal to the length stored in an IP packet.
> But if the ethernet frame is padded, then l3_len calculated
> that way can only be used as a bound check to validate the
> length stored in an IP header. It should not be used for
> calculating the l4_len.
>=20
> This patch makes sure the small padded ethernet frames are
> properly processed, by trusting the length stored in an IP
> header.
>=20
> Signed-off-by: Stas Sergeev <stsp2@yandex.ru>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

>=20
> CC: Stefano Brivio <sbrivio@redhat.com>
> ---
>  tap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/tap.c b/tap.c
> index ee79be0..8d7859c 100644
> --- a/tap.c
> +++ b/tap.c
> @@ -615,7 +615,7 @@ resume:
>  			continue;
> =20
>  		hlen =3D iph->ihl * 4UL;
> -		if (hlen < sizeof(*iph) || htons(iph->tot_len) !=3D l3_len ||
> +		if (hlen < sizeof(*iph) || htons(iph->tot_len) > l3_len ||
>  		    hlen > l3_len)
>  			continue;
> =20
> @@ -623,7 +623,7 @@ resume:
>  		if (tap4_is_fragment(iph, now))
>  			continue;
> =20
> -		l4_len =3D l3_len - hlen;
> +		l4_len =3D htons(iph->tot_len) - hlen;
> =20
>  		if (iph->saddr && c->ip4.addr_seen.s_addr !=3D iph->saddr)
>  			c->ip4.addr_seen.s_addr =3D iph->saddr;

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--xF0gSKwkRGts8PA+
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmTumYsACgkQzQJF27ox
2GdcAw/+J4DgqOuriuF0UBNnPIpZPL520MOcS3bC70d0b+7YY8T5wFZvUUAA4Ige
o4WFsl48uOyLd8z6dYNHQ0u9jSi3zMlDc47GZshdIOqk4zfefGMy+8BEgBjDeDCp
jFs3l5S+Rbx0W5Rlv/E8g/fhqwNm1SKdJTY1bR+TRfqLA9CGXx1l+tAN7bwaUzJj
W+N0fGAuWWwzQN1bapEchetM7O/xNguoLXznUrHn020uzMhUCwNNjfNEU/Noo5iC
+PwEk7q4rpxg91+6gRt0DCp57qsA6+ohDAYfPlb3wrPgr6EDPRyH/ibf1SREzmUF
n1M6yYt3JrxykwIySVrufEsAS2N5F4hmVzoFm4v8lfyIvOv26CymJivwlF7wT4B4
L+VCFjlrCc+xFWtZrsFtMjKvBiojQ/00/eYYYeAd6zWlaND4rPMaLZPDhj0CKrg0
+Fu3HVpVKUh4aU2lhpo/kpV1a+3rmXkAcr9+BrE/vGfEe4ZoY364ZNxqy/tyMwQH
J1KbiJOT8BUdeOqbdijvyxVxeho5ABCJamBUaur8tiP2w1wKc8A+nl+3bVMC3yxh
NjE4KH1ALMU7BzHylE3zw7WxkMIbiyFMyOijQWBLuzpiP+/jyCxJahx1vU31Fr6S
GiDoiu9UQnR38pr0LVhkoxINmESou8t5U2h48/8mcQGXBruxoXI=
=KNal
-----END PGP SIGNATURE-----

--xF0gSKwkRGts8PA+--