Re: [ovs-dev] [PATCH 1/2] flow: Add length check when retrieving TCP flags.

Fri, 23 Mar 2012 16:43:14 -0700 

On Fri, Mar 23, 2012 at 3:51 PM, Pravin Shelar <pshe...@nicira.com> wrote:
> On Fri, Mar 23, 2012 at 1:48 PM, Jesse Gross <je...@nicira.com> wrote:
>> When collecting TCP flags we check that the IP header indicates that
>> a TCP header is present but not that the packet is actually long
>> enough to contain the header.  This adds a check to prevent reading
>> off the end of the packet.
>>
>> In practice, this is only likely to result in reading of bad data and
>> not a crash due to the presence of struct skb_shared_info at the end
>> of the packet.
>>
>> Signed-off-by: Jesse Gross <je...@nicira.com>
>> ---
>>  datapath/flow.c   |    3 ++-
>>  lib/dpif-netdev.c |    3 ++-
>>  2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/datapath/flow.c b/datapath/flow.c
>> index fb4fc21..27a8f24 100644
>> --- a/datapath/flow.c
>> +++ b/datapath/flow.c
>> @@ -185,7 +185,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff 
>> *skb)
>>        u8 tcp_flags = 0;
>>
>>        if (flow->key.eth.type == htons(ETH_P_IP) &&
>> -           flow->key.ip.proto == IPPROTO_TCP) {
>> +           flow->key.ip.proto == IPPROTO_TCP &&
>> +           likely(skb->len >= skb_transport_offset(skb) + sizeof(struct 
>> tcphdr))) {
>>                u8 *tcp = (u8 *)tcp_hdr(skb);
>>                tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
>>        }
>> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
>> index e1dc725..d73050a 100644
>> --- a/lib/dpif-netdev.c
>> +++ b/lib/dpif-netdev.c
>> @@ -976,7 +976,8 @@ dp_netdev_flow_used(struct dp_netdev_flow *flow, struct 
>> flow *key,
>>     flow->used = time_msec();
>>     flow->packet_count++;
>>     flow->byte_count += packet->size;
>> -    if (key->dl_type == htons(ETH_TYPE_IP) && key->nw_proto == IPPROTO_TCP) 
>> {
>> +    if (key->dl_type == htons(ETH_TYPE_IP) &&
>> +        key->nw_proto == IPPROTO_TCP && packet->l7) {
>>         struct tcp_header *th = packet->l4;
>>         flow->tcp_ctl |= th->tcp_ctl;
>>     }
>
> Looks good.
> Acked-by: Pravin B Shelar <pshe...@nicira.com>

Thanks, I pushed both of these patches.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to