aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStas Sergeev <stsp2@yandex.ru>2023-08-29 21:44:06 +0500
committerStefano Brivio <sbrivio@redhat.com>2023-09-07 11:24:14 +0200
commitd8c4f23ecdaf59350e686b786860a41a2e4d4dda (patch)
tree68e060f3d11128d35c08a5dd1be7a4bebd747df3
parenta405d0c026582375448fe87c6e440eb0fd428dd7 (diff)
downloadpasst-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.gz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.bz2
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.lz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.xz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.zst
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.zip
tap: fix uses of l3_len in tap4_handler()
l3_len was calculated from the ethernet frame size, and it was assumed to be equal to the length stored in an IP packet. But if the ethernet frame is padded, then l3_len calculated that way can only be used as a bound check to validate the length stored in an IP header. It should not be used for calculating the l4_len. This patch makes sure the small padded ethernet frames are properly processed, by trusting the length stored in an IP header. Link: https://bugs.passt.top/show_bug.cgi?id=73 Signed-off-by: Stas Sergeev <stsp2@yandex.ru> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r--tap.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/tap.c b/tap.c
index ee79be0..8d7859c 100644
--- a/tap.c
+++ b/tap.c
@@ -615,7 +615,7 @@ resume:
continue;
hlen = iph->ihl * 4UL;
- if (hlen < sizeof(*iph) || htons(iph->tot_len) != l3_len ||
+ if (hlen < sizeof(*iph) || htons(iph->tot_len) > l3_len ||
hlen > l3_len)
continue;
@@ -623,7 +623,7 @@ resume:
if (tap4_is_fragment(iph, now))
continue;
- l4_len = l3_len - hlen;
+ l4_len = htons(iph->tot_len) - hlen;
if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
c->ip4.addr_seen.s_addr = iph->saddr;