[ovs-dev] [VLAN/SNAP 2/3] dpif-netdev: Tolerate undersized packets.
Ben Pfaff
blp at nicira.com
Tue Aug 10 18:53:39 UTC 2010
On Thu, Aug 05, 2010 at 01:41:20PM -0400, Jesse Gross wrote:
> On Wed, Jul 28, 2010 at 2:01 PM, Ben Pfaff <blp at nicira.com> wrote:
>
> > + if (packet->size < sizeof(struct eth_header)) {
> > + return;
> > + }
> >
>
> Should we just discard packets that are less than Ethernet header size in
> dp_netdev_port_input()? It seems that nothing good will come of them. We
> already do this in dpif_netdev_execute().
That's better, thanks.
> dp_netdev_strip_vlan(struct ofpbuf *packet)
> > {
> > struct vlan_eth_header *veh = packet->l2;
> > - if (veh->veth_type == htons(ETH_TYPE_VLAN)) {
> > + if (packet->size >= sizeof *veh
> > + && veh->veth_type == htons(ETH_TYPE_VLAN)) {
> >
>
> I think the problem is bigger than this and also exists in the kernel
> datapath.
> We never reset key->dl_type if the corresponding L3 header isn't present,
> which means that both operations on vlan headers and IP headers are
> vulnerable. The only header we zero out is L4. Additionally,
> vlan_pull_tag() and modify_vlan_tci() in the kernel and
> dp_netdev_strip_vlan() in userspace check that they are operating on packets
> with vlan headers by looking at the skb directly, not the flow key, which
> bypasses the length check.
Ouch. I can't believe that we still have this problem. I swear I've
fixed it a dozen times. I'll send out a new patch.
More information about the dev
mailing list