[ovs-dev] [VLAN/SNAP 2/3] dpif-netdev: Tolerate undersized packets.

[Ben Pfaff]

On Thu, Aug 05, 2010 at 01:41:20PM -0400, Jesse Gross wrote:
> On Wed, Jul 28, 2010 at 2:01 PM, Ben Pfaff <blp at nicira.com> wrote:
> 
> > +    if (packet->size < sizeof(struct eth_header)) {
> > +        return;
> > +    }
> >
> 
> Should we just discard packets that are less than Ethernet header size in
> dp_netdev_port_input()?  It seems that nothing good will come of them.  We
> already do this in dpif_netdev_execute().

That's better, thanks.

>   dp_netdev_strip_vlan(struct ofpbuf *packet)
> >  {
> >     struct vlan_eth_header *veh = packet->l2;
> > -    if (veh->veth_type == htons(ETH_TYPE_VLAN)) {
> > +    if (packet->size >= sizeof *veh
> > +        && veh->veth_type == htons(ETH_TYPE_VLAN)) {
> >
> 
> I think the problem is bigger than this and also exists in the kernel
> datapath.
> We never reset key->dl_type if the corresponding L3 header isn't present,
> which means that both operations on vlan headers and IP headers are
> vulnerable.  The only header we zero out is L4.  Additionally,
> vlan_pull_tag() and modify_vlan_tci() in the kernel and
> dp_netdev_strip_vlan() in userspace check that they are operating on packets
> with vlan headers by looking at the skb directly, not the flow key, which
> bypasses the length check.

Ouch.  I can't believe that we still have this problem.  I swear I've
fixed it a dozen times.  I'll send out a new patch.