aboutgitcodebugslistschat
path: root/tap.c
diff options
context:
space:
mode:
authorStas Sergeev <stsp2@yandex.ru>2023-08-29 21:44:06 +0500
committerStefano Brivio <sbrivio@redhat.com>2023-09-07 11:24:14 +0200
commitd8c4f23ecdaf59350e686b786860a41a2e4d4dda (patch)
tree68e060f3d11128d35c08a5dd1be7a4bebd747df3 /tap.c
parenta405d0c026582375448fe87c6e440eb0fd428dd7 (diff)
downloadpasst-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.gz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.bz2
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.lz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.xz
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.tar.zst
passt-d8c4f23ecdaf59350e686b786860a41a2e4d4dda.zip
tap: fix uses of l3_len in tap4_handler()
l3_len was calculated from the ethernet frame size, and it was assumed to be equal to the length stored in an IP packet. But if the ethernet frame is padded, then l3_len calculated that way can only be used as a bound check to validate the length stored in an IP header. It should not be used for calculating the l4_len. This patch makes sure the small padded ethernet frames are properly processed, by trusting the length stored in an IP header. Link: https://bugs.passt.top/show_bug.cgi?id=73 Signed-off-by: Stas Sergeev <stsp2@yandex.ru> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'tap.c')
-rw-r--r--tap.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/tap.c b/tap.c
index ee79be0..8d7859c 100644
--- a/tap.c
+++ b/tap.c
@@ -615,7 +615,7 @@ resume:
continue;
hlen = iph->ihl * 4UL;
- if (hlen < sizeof(*iph) || htons(iph->tot_len) != l3_len ||
+ if (hlen < sizeof(*iph) || htons(iph->tot_len) > l3_len ||
hlen > l3_len)
continue;
@@ -623,7 +623,7 @@ resume:
if (tap4_is_fragment(iph, now))
continue;
- l4_len = l3_len - hlen;
+ l4_len = htons(iph->tot_len) - hlen;
if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
c->ip4.addr_seen.s_addr = iph->saddr;