diff options
| author | Darrell Ball <dlu998@gmail.com> | 2019-02-04 16:23:07 -0800 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2019-02-11 19:30:10 -0800 |
| commit | 9171c63532ee9cbc63bb8cfae364ab071f44389b (patch) | |
| tree | f5f2b05a416a2c7d23a1c20f03127f67d79a97ae /lib/conntrack.c | |
| parent | 69c45b36bc99b0de9f00c9a7201d5ead4c2db0fe (diff) | |
| download | openvswitch-9171c63532ee9cbc63bb8cfae364ab071f44389b.tar.gz | |
conntrack: Exclude l2 padding in 'conn_key_extract()'.
'conn_key_extract()' in userspace conntrack is including L2
(Ethernet) pad bytes for both L3 and L4 sizes. One problem is
any packet with non-zero L2 padding can incorrectly fail L4
checksum validation.
This patch fixes conn_key_extract() by ignoring L2 pad bytes.
Fixes: a489b16854b5 ("conntrack: New userspace connection tracker.")
CC: Daniele Di Proietto <diproiettod@ovn.org>
Co-authored-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Co-authored-by: Venkatesan Pradeep <venkatesan.pradeep@ericsson.com>
Co-authored-by: Nitin Katiyar <nitin.katiyar@ericsson.com>
Signed-off-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Signed-off-by: Venkatesan Pradeep <venkatesan.pradeep@ericsson.com>
Signed-off-by: Nitin Katiyar <nitin.katiyar@ericsson.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'lib/conntrack.c')
| -rw-r--r-- | lib/conntrack.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/conntrack.c b/lib/conntrack.c index 315a19e9e..5c43410ec 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -1875,6 +1875,9 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size, * processed, the function will extract the key from the packet nested * in the ICMP payload and set '*related' to true. * + * 'size' here is the layer 4 size, which can be a nested size if parsing + * an ICMP or ICMP6 header. + * * If 'related' is NULL, it means that we're already parsing a header nested * in an ICMP error. In this case, we skip checksum and length validation. */ static inline bool @@ -1949,7 +1952,6 @@ conn_key_extract(struct conntrack *ct, struct dp_packet *pkt, ovs_be16 dl_type, * we use a sparse representation (miniflow). * */ - const char *tail = dp_packet_tail(pkt); bool ok; ctx->key.dl_type = dl_type; @@ -1960,11 +1962,11 @@ conn_key_extract(struct conntrack *ct, struct dp_packet *pkt, ovs_be16 dl_type, } else { bool hwol_good_l3_csum = dp_packet_ip_checksum_valid(pkt); /* Validate the checksum only when hwol is not supported. */ - ok = extract_l3_ipv4(&ctx->key, l3, tail - (char *) l3, NULL, + ok = extract_l3_ipv4(&ctx->key, l3, dp_packet_l3_size(pkt), NULL, !hwol_good_l3_csum); } } else if (ctx->key.dl_type == htons(ETH_TYPE_IPV6)) { - ok = extract_l3_ipv6(&ctx->key, l3, tail - (char *) l3, NULL); + ok = extract_l3_ipv6(&ctx->key, l3, dp_packet_l3_size(pkt), NULL); } else { ok = false; } @@ -1974,8 +1976,8 @@ conn_key_extract(struct conntrack *ct, struct dp_packet *pkt, ovs_be16 dl_type, if (!hwol_bad_l4_csum) { bool hwol_good_l4_csum = dp_packet_l4_checksum_valid(pkt); /* Validate the checksum only when hwol is not supported. */ - if (extract_l4(&ctx->key, l4, tail - l4, &ctx->icmp_related, l3, - !hwol_good_l4_csum)) { + if (extract_l4(&ctx->key, l4, dp_packet_l4_size(pkt), + &ctx->icmp_related, l3, !hwol_good_l4_csum)) { ctx->hash = conn_key_hash(&ctx->key, ct->hash_basis); return true; } |