flow: Add length check when retrieving TCP flags.

When collecting TCP flags we check that the IP header indicates that
a TCP header is present but not that the packet is actually long
enough to contain the header.  This adds a check to prevent reading
off the end of the packet.

In practice, this is only likely to result in reading of bad data and
not a crash due to the presence of struct skb_shared_info at the end
of the packet.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

diff --git a/datapath/flow.c b/datapath/flow.c
index fb4fc217baad59a3bf9942da3eff5023ae315130..27a8f249010a79a059f33a38e3bd154d61316899 100644 (file)
--- a/datapath/flow.c
+++ b/datapath/flow.c
@@ -185,7 +185,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb)
        u8 tcp_flags = 0;
 
        if (flow->key.eth.type == htons(ETH_P_IP) &&
-           flow->key.ip.proto == IPPROTO_TCP) {
+           flow->key.ip.proto == IPPROTO_TCP &&
+           likely(skb->len >= skb_transport_offset(skb) + sizeof(struct tcphdr))) {
                u8 *tcp = (u8 *)tcp_hdr(skb);
                tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
        }

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index e1dc725dd8874b58c1af44ac87f33178bca462c1..d73050a3461480e68be2eb8df4c182a073c683ef 100644 (file)
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -976,7 +976,8 @@ dp_netdev_flow_used(struct dp_netdev_flow *flow, struct flow *key,
     flow->used = time_msec();
     flow->packet_count++;
     flow->byte_count += packet->size;
-    if (key->dl_type == htons(ETH_TYPE_IP) && key->nw_proto == IPPROTO_TCP) {
+    if (key->dl_type == htons(ETH_TYPE_IP) &&
+        key->nw_proto == IPPROTO_TCP && packet->l7) {
         struct tcp_header *th = packet->l4;
         flow->tcp_ctl |= th->tcp_ctl;
     }