Add a bounds check before accessing the UDP or TCP header in tap_verify_csum(). A single-segment packet whose L4 header extends past rte_pktmbuf_data_len() would cause an out-of-bounds read.
Signed-off-by: Stephen Hemminger <[email protected]> --- drivers/net/tap/rte_eth_tap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index 8b6d5db37e..45ca32cfb8 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -365,8 +365,15 @@ tap_verify_csum(struct rte_mbuf *mbuf) */ return; } + if (l4 == RTE_PTYPE_L4_UDP || l4 == RTE_PTYPE_L4_TCP) { int cksum_ok; + const unsigned int l4_min_len = (l4 == RTE_PTYPE_L4_UDP) + ? sizeof(struct rte_udp_hdr) : sizeof(struct rte_tcp_hdr); + + /* Don't verify checksum if L4 header is truncated */ + if (l2_len + l3_len + l4_min_len > rte_pktmbuf_data_len(mbuf)) + return; l4_hdr = rte_pktmbuf_mtod_offset(mbuf, void *, l2_len + l3_len); /* Don't verify checksum for multi-segment packets. */ -- 2.51.0
