[ovs-dev] [VLAN/SNAP 2/3] dpif-netdev: Tolerate undersized packets.

Jesse Gross jesse at nicira.com
Thu Aug 5 17:41:20 UTC 2010

On Wed, Jul 28, 2010 at 2:01 PM, Ben Pfaff <blp at nicira.com> wrote:

> +    if (packet->size < sizeof(struct eth_header)) {
> +        return;
> +    }

Should we just discard packets that are less than Ethernet header size in
dp_netdev_port_input()?  It seems that nothing good will come of them.  We
already do this in dpif_netdev_execute().

  dp_netdev_strip_vlan(struct ofpbuf *packet)
>  {
>     struct vlan_eth_header *veh = packet->l2;
> -    if (veh->veth_type == htons(ETH_TYPE_VLAN)) {
> +    if (packet->size >= sizeof *veh
> +        && veh->veth_type == htons(ETH_TYPE_VLAN)) {

I think the problem is bigger than this and also exists in the kernel
We never reset key->dl_type if the corresponding L3 header isn't present,
which means that both operations on vlan headers and IP headers are
vulnerable.  The only header we zero out is L4.  Additionally,
vlan_pull_tag() and modify_vlan_tci() in the kernel and
dp_netdev_strip_vlan() in userspace check that they are operating on packets
with vlan headers by looking at the skb directly, not the flow key, which
bypasses the length check.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20100805/19ce6aea/attachment-0003.html>

More information about the dev mailing list