[ovs-dev] [PATCH] conntrack: check the result of extract_l3_ipv4/6

Darrell Ball dlu998 at gmail.com
Mon Aug 19 15:35:11 UTC 2019


Thanks for the patch

On Sun, Aug 18, 2019 at 11:01 PM Li RongQing <lirongqing at baidu.com> wrote:

> the result of extract_l3_ipv4/6 should be checked in reverse_nat_packet
> when it is false, meaning this packet is wrong, should not do handle it
> continually
>
> Signed-off-by: Li RongQing <lirongqing at baidu.com>
> ---
>  lib/conntrack.c | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 5f60fea18..c26d5438c 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -695,11 +695,18 @@ reverse_nat_packet(struct dp_packet *pkt, const
> struct conn *conn)
>      uint16_t orig_l4_ofs = pkt->l4_ofs;
>
>      if (conn->key.dl_type == htons(ETH_TYPE_IP)) {
> +        bool ok;
>          struct ip_header *nh = dp_packet_l3(pkt);
>          struct icmp_header *icmp = dp_packet_l4(pkt);
>          struct ip_header *inner_l3 = (struct ip_header *) (icmp + 1);
> -        extract_l3_ipv4(&inner_key, inner_l3, tail - ((char *)inner_l3) -
> pad,
>

There is intentionally no checking for success/fail here bcoz the packet
has already
been parsed and found to be ok during conn_key_extract() code path. Reusing
the
same api here is just convenient.


> +
> +        ok = extract_l3_ipv4(&inner_key, inner_l3,
> +                        tail - ((char *)inner_l3) - pad,
>                          &inner_l4, false);
> +        if (!ok) {
> +            return;
> +        }
> +
>          pkt->l3_ofs += (char *) inner_l3 - (char *) nh;
>          pkt->l4_ofs += inner_l4 - (char *) icmp;
>
> @@ -715,13 +722,19 @@ reverse_nat_packet(struct dp_packet *pkt, const
> struct conn *conn)
>          icmp->icmp_csum = 0;
>          icmp->icmp_csum = csum(icmp, tail - (char *) icmp - pad);
>      } else {
> +        bool ok;
>          struct ovs_16aligned_ip6_hdr *nh6 = dp_packet_l3(pkt);
>          struct icmp6_error_header *icmp6 = dp_packet_l4(pkt);
>          struct ovs_16aligned_ip6_hdr *inner_l3_6 =
>              (struct ovs_16aligned_ip6_hdr *) (icmp6 + 1);
> -        extract_l3_ipv6(&inner_key, inner_l3_6,
>

There is intentionally no checking for success/fail here bcoz the packet
has already
been parsed and found to be ok during conn_key_extract() code path. Reusing
the
same api here is just convenient.


> +
> +        ok = extract_l3_ipv6(&inner_key, inner_l3_6,
>                          tail - ((char *)inner_l3_6) - pad,
>                          &inner_l4);
> +
> +        if (!ok) {
> +            return;
> +        }
>          pkt->l3_ofs += (char *) inner_l3_6 - (char *) nh6;
>          pkt->l4_ofs += inner_l4 - (char *) icmp6;
>
> --
> 2.16.2
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list