[ovs-dev] [PATCH 1/2] flow: Add length check when retrieving TCP flags.
Pravin Shelar
pshelar at nicira.com
Fri Mar 23 22:51:14 UTC 2012
On Fri, Mar 23, 2012 at 1:48 PM, Jesse Gross <jesse at nicira.com> wrote:
> When collecting TCP flags we check that the IP header indicates that
> a TCP header is present but not that the packet is actually long
> enough to contain the header. This adds a check to prevent reading
> off the end of the packet.
>
> In practice, this is only likely to result in reading of bad data and
> not a crash due to the presence of struct skb_shared_info at the end
> of the packet.
>
> Signed-off-by: Jesse Gross <jesse at nicira.com>
> ---
> datapath/flow.c | 3 ++-
> lib/dpif-netdev.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/datapath/flow.c b/datapath/flow.c
> index fb4fc21..27a8f24 100644
> --- a/datapath/flow.c
> +++ b/datapath/flow.c
> @@ -185,7 +185,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb)
> u8 tcp_flags = 0;
>
> if (flow->key.eth.type == htons(ETH_P_IP) &&
> - flow->key.ip.proto == IPPROTO_TCP) {
> + flow->key.ip.proto == IPPROTO_TCP &&
> + likely(skb->len >= skb_transport_offset(skb) + sizeof(struct tcphdr))) {
> u8 *tcp = (u8 *)tcp_hdr(skb);
> tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
> }
> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
> index e1dc725..d73050a 100644
> --- a/lib/dpif-netdev.c
> +++ b/lib/dpif-netdev.c
> @@ -976,7 +976,8 @@ dp_netdev_flow_used(struct dp_netdev_flow *flow, struct flow *key,
> flow->used = time_msec();
> flow->packet_count++;
> flow->byte_count += packet->size;
> - if (key->dl_type == htons(ETH_TYPE_IP) && key->nw_proto == IPPROTO_TCP) {
> + if (key->dl_type == htons(ETH_TYPE_IP) &&
> + key->nw_proto == IPPROTO_TCP && packet->l7) {
> struct tcp_header *th = packet->l4;
> flow->tcp_ctl |= th->tcp_ctl;
> }
Looks good.
Acked-by: Pravin B Shelar <pshelar at nicira.com>
> --
> 1.7.5.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list