tap: fix uses of l3_len in tap4_handler()

l3_len was calculated from the ethernet frame size, and it
was assumed to be equal to the length stored in an IP packet.
But if the ethernet frame is padded, then l3_len calculated
that way can only be used as a bound check to validate the
length stored in an IP header. It should not be used for
calculating the l4_len.

This patch makes sure the small padded ethernet frames are
properly processed, by trusting the length stored in an IP
header.

Link: https://bugs.passt.top/show_bug.cgi?id=73
Signed-off-by: Stas Sergeev <stsp2@yandex.ru>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/tap.c b/tap.c
index ee79be0..8d7859c 100644
--- a/tap.c
+++ b/tap.c
@@ -615,7 +615,7 @@ resume:
 			continue;
 
 		hlen = iph->ihl * 4UL;
-		if (hlen < sizeof(*iph) || htons(iph->tot_len) != l3_len ||
+		if (hlen < sizeof(*iph) || htons(iph->tot_len) > l3_len ||
 		    hlen > l3_len)
 			continue;
 
@@ -623,7 +623,7 @@ resume:
 		if (tap4_is_fragment(iph, now))
 			continue;
 
-		l4_len = l3_len - hlen;
+		l4_len = htons(iph->tot_len) - hlen;
 
 		if (iph->saddr && c->ip4.addr_seen.s_addr != iph->saddr)
 			c->ip4.addr_seen.s_addr = iph->saddr;