From patchwork Sat Sep 28 05:47:20 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Li,Rongqing via dev" <ovs-dev@openvswitch.org>
X-Patchwork-Id: 1168794
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=openvswitch.org
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ericsson.com header.i=@ericsson.com
	header.b="pNvioWIj"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46gHt94dfYz9sNf
	for <incoming@patchwork.ozlabs.org>;
	Sat, 28 Sep 2019 15:54:24 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id B5E9E159E;
	Sat, 28 Sep 2019 05:54:20 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 6973B159B
	for <dev@openvswitch.org>; Sat, 28 Sep 2019 05:54:19 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from EUR01-DB5-obe.outbound.protection.outlook.com
	(mail-eopbgr150088.outbound.protection.outlook.com [40.107.15.88])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EF54C8B0
	for <dev@openvswitch.org>; Sat, 28 Sep 2019 05:54:17 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=gqmDNv549lw6pDH5oUy7o9ktnsJM7sSweZ9e/b8Egw5SUy7W5eMo5ISbkDzl0/R5l59fksrJtdGJHx5h7VVz522ucwPMyNVQPsRoGkswQ9UlATsDMtszDC5WcdFpFiCIS6c+yiUmCOVnUnjlowoBk937b4BxYcc8GbGWmfDLeFPI1KBbq6drq8SZmfjPhMW53jV70xKZi/FAoh/jGPqNjt+fHig26SbdCTiutkRy3U6Ak+7nfkCPcsYeuYLxn3w7ee2y1QIvF01hsB2QvvdgDq1NpGydAsbmcKFj8l+6Tv+W6RFyrZcNRioPU04YDDW7mKqMO/XoK7bKmYBk/oqRLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=YOXYa7Mcrx3jhbLOVCvcDeRPDMgym8cIHvcFTxy2wpc=;
	b=C5fSqgPGJlfKNEsKkWSfIQlFc25CHGHoFZsHK5cXlbDpyy454dxPHeRhXtfthmhzRbEs0Pp2JZ7xIuKIHYy0q6mp07CZ+cSUxYAI05eOCdSz8u2dOSHYF9KtSxnOepwCcuDMlw51YTVx4mZDWwqR6HySvxOS9eiHKXdyeo6kPhv9SL2hM2t9Uq9K3N/Kt83Ma25tutwVomEiwDLWb7kPKaaum993qEImtDxt6TkIbl6LoDsNAgbEHEvYei2nQTVOVRokzkVf++w+74xKb443RQaklTEWFXTy9noxGpQU79/lBuuHJyKSN7MXEgqrX8g/ho7EIWCjvyQHMu8T2UElSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
	192.176.1.74) smtp.rcpttodomain=openvswitch.org
	smtp.mailfrom=ericsson.com;
	dmarc=pass (p=quarantine sp=none pct=50) action=none
	header.from=ericsson.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
	s=selector2;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=YOXYa7Mcrx3jhbLOVCvcDeRPDMgym8cIHvcFTxy2wpc=;
	b=pNvioWIjIrNiHLQ48tmYnsuaeX7KjGZQjUWXcOX4u0Otx1tDsUAF26lrE+rNxY04sEgcE/Ge/U3/kIV6S6yIsqXJTL8MwWdZVs9yNOEHnnz121zZiBeaAIH2H+2Rtg2raHfuJO+zjmko6YqIDEDQ0knxvB6E8RV5YhV46MF1Sjg=
Received: from HE1PR0701CA0059.eurprd07.prod.outlook.com (2603:10a6:3:9e::27)
	by VI1PR07MB4272.eurprd07.prod.outlook.com (2603:10a6:802:65::25)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.14;
	Sat, 28 Sep 2019 05:54:14 +0000
Received: from HE1EUR02FT014.eop-EUR02.prod.protection.outlook.com
	(2a01:111:f400:7e05::201) by HE1PR0701CA0059.outlook.office365.com
	(2603:10a6:3:9e::27) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2327.10 via
	Frontend Transport; Sat, 28 Sep 2019 05:54:14 +0000
Authentication-Results: spf=pass (sender IP is 192.176.1.74)
	smtp.mailfrom=ericsson.com; openvswitch.org;
	dkim=none (message not signed)
	header.d=none;openvswitch.org; dmarc=pass action=none
	header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
	192.176.1.74 as permitted sender)
	receiver=protection.outlook.com;
	client-ip=192.176.1.74; helo=oa.msg.ericsson.com;
Received: from oa.msg.ericsson.com (192.176.1.74) by
	HE1EUR02FT014.mail.protection.outlook.com (10.152.10.118) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
	15.20.2305.15 via Frontend Transport; Sat, 28 Sep 2019 05:54:14 +0000
Received: from ESESSMB501.ericsson.se (153.88.183.162) by
	ESESSMR503.ericsson.se (153.88.183.112) with Microsoft SMTP Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
	15.1.1713.5; Sat, 28 Sep 2019 07:54:13 +0200
Received: from localhost.localdomain (153.88.183.153) by
	ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
	15.1.1713.5; Sat, 28 Sep 2019 07:54:13 +0200
To: <dev@openvswitch.org>
Date: Sat, 28 Sep 2019 11:17:20 +0530
Message-ID: <1569649640-8697-1-git-send-email-vishal.deep.ajmera@ericsson.com>
X-Mailer: git-send-email 1.9.1
MIME-Version: 1.0
X-Originating-IP: [153.88.183.153]
X-ClientProxiedBy: ESESSMB504.ericsson.se (153.88.183.165) To
	ESESSMB501.ericsson.se (153.88.183.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.176.1.74; IPV:NLI; CTRY:SE; EFV:NLI;
	SFV:NSPM;
	SFS:(10009020)(4636009)(346002)(39860400002)(396003)(136003)(376002)(189003)(199004)(956004)(2616005)(126002)(4326008)(7736002)(186003)(16526019)(26005)(966005)(386003)(6116002)(8676002)(3846002)(50226002)(356004)(5660300002)(6666004)(486006)(86362001)(336012)(246002)(7636002)(305945005)(8936002)(476003)(48376002)(106002)(66066001)(47776003)(2906002)(14444005)(51416003)(508600001)(54906003)(36756003)(70206006)(70586007)(50466002)(2351001)(6916009)(16586007)(6306002)(316002);
	DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4272;
	H:oa.msg.ericsson.com; FPR:; SPF:Pass; LANG:en;
	PTR:office365.se.ericsson.net; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ce746752-a673-4e9d-a53a-08d743d84aaf
X-MS-TrafficTypeDiagnostic: VI1PR07MB4272:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: 
 <VI1PR07MB427230B4701D29F7295809A4A4800@VI1PR07MB4272.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:2803;
X-Forefront-PRVS: 0174BD4BDA
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 Lx7Vp25i6TeU/qafYpw7bgwtiSPC8gMY0Ly/64p51TWaEtFGwNcnj73P6ts9yKxawvRc1kKI9gD7/A9WgZJeWrS9GcEZIRPSG11UZ3EqgIs4+uBB8ZAdO4LauXquiEodmYbzuSPoad2Xp54+nvrk2YG2JOUYz0xbZ/4+TSX01mYE8pDwDAXPI7vGkB6lZde9Qlhc6of+FSr7HL8CEI3DMOi5YS4I7XWXIgKJP1VvisUXgbMDxall9zyh2zqni6bq0IHO/Q0boFbLZVcimbEouxnCxEw+HkKWR25ULegqTCD6kkgDsquBGlE3pumSKl/tPDNHnlNsQ2bugagC5x8qP53eCJlA+5piwR7bSB2sc699HEgxMjyxJlhFhD3hIalFKqIppLXR6yvtWEbffuZz3EyGlERM4N6kCCoQnpmCee6GLlVVcykq44Y7CySHc2HXEgljjC838JWOg3UuKR/ZYw==
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Sep 2019 05:54:14.0866
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 ce746752-a673-4e9d-a53a-08d743d84aaf
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;
	Ip=[192.176.1.74];
	Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4272
X-Spam-Status: No, score=0.1 required=5.0 tests=AC_FROM_MANY_DOTS, BAYES_00,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH branch-2.6] conntrack: Fix ICMPv4 error data L4
	length check.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
X-Patchwork-Original-From: Vishal Deep Ajmera via dev
 <ovs-dev@openvswitch.org>
From: "Li,Rongqing via dev" <ovs-dev@openvswitch.org>
Reply-To: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

From: Darrell Ball <dlu998@gmail.com>

The ICMPv4 error data L4 length check was found to be too strict for TCP,
expecting a minimum of 20 rather than 8 bytes.  This worked by
hapenstance for other inner protocols.  The approach is to explicitly
handle the ICMPv4 error data L4 length check and to do this for all
supported inner protocols in the same way.  Making the code common
between protocols also allows the existing ICMPv4 related UDP tests to
cover TCP and ICMP inner protocol cases.
Note that ICMPv6 does not have an 8 byte limit for error L4 data.

Fixes: a489b16854b5 ("conntrack: New userspace connection tracker.")
CC: Daniele Di Proietto <diproiettod@ovn.org>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2019-August/361949.html
Reported-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Signed-off-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Co-authored-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
(cherry picked from commit 6c2a93064afe8d812e4506880d1fd8f96108f92a)

Conflicts:
	lib/conntrack.c
---
 lib/conntrack.c | 35 ++++++++++++++++++++---------------
 lib/packets.h   |  3 +++
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 8abaf7e..d59083e 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -664,11 +664,12 @@ check_l4_icmp6(const struct conn_key *key, const void *data, size_t size,
 }
 
 static inline bool
-extract_l4_tcp(struct conn_key *key, const void *data, size_t size)
+extract_l4_tcp(struct conn_key *key, const void *data, size_t size,
+               size_t *chk_len)
 {
     const struct tcp_header *tcp = data;
 
-    if (OVS_UNLIKELY(size < TCP_HEADER_LEN)) {
+    if (OVS_UNLIKELY(size < (chk_len ? *chk_len : TCP_HEADER_LEN))) {
         return false;
     }
 
@@ -680,11 +681,12 @@ extract_l4_tcp(struct conn_key *key, const void *data, size_t size)
 }
 
 static inline bool
-extract_l4_udp(struct conn_key *key, const void *data, size_t size)
+extract_l4_udp(struct conn_key *key, const void *data, size_t size,
+               size_t *chk_len)
 {
     const struct udp_header *udp = data;
 
-    if (OVS_UNLIKELY(size < UDP_HEADER_LEN)) {
+    if (OVS_UNLIKELY(size < (chk_len ? *chk_len : UDP_HEADER_LEN))) {
         return false;
     }
 
@@ -696,7 +698,8 @@ extract_l4_udp(struct conn_key *key, const void *data, size_t size)
 }
 
 static inline bool extract_l4(struct conn_key *key, const void *data,
-                              size_t size, bool *related, const void *l3);
+                              size_t size, bool *related, const void *l3,
+                              size_t *chk_len);
 
 static uint8_t
 reverse_icmp_type(uint8_t type)
@@ -728,11 +731,11 @@ reverse_icmp_type(uint8_t type)
  * possible */
 static inline int
 extract_l4_icmp(struct conn_key *key, const void *data, size_t size,
-                bool *related)
+                bool *related, size_t *chk_len)
 {
     const struct icmp_header *icmp = data;
 
-    if (OVS_UNLIKELY(size < ICMP_HEADER_LEN)) {
+    if (OVS_UNLIKELY(size < (chk_len ? *chk_len : ICMP_HEADER_LEN))) {
         return false;
     }
 
@@ -783,8 +786,9 @@ extract_l4_icmp(struct conn_key *key, const void *data, size_t size,
         key->src = inner_key.src;
         key->dst = inner_key.dst;
         key->nw_proto = inner_key.nw_proto;
+        size_t check_len = ICMP_ERROR_DATA_L4_LEN;
 
-        ok = extract_l4(key, l4, tail - l4, NULL, l3);
+        ok = extract_l4(key, l4, tail - l4, NULL, l3, &check_len);
         if (ok) {
             conn_key_reverse(key);
             *related = true;
@@ -872,7 +876,7 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size,
         key->dst = inner_key.dst;
         key->nw_proto = inner_key.nw_proto;
 
-        ok = extract_l4(key, l4, tail - l4, NULL, l3);
+        ok = extract_l4(key, l4, tail - l4, NULL, l3, NULL);
         if (ok) {
             conn_key_reverse(key);
             *related = true;
@@ -897,21 +901,22 @@ extract_l4_icmp6(struct conn_key *key, const void *data, size_t size,
  * an ICMP or ICMP6 header. *
  *
  * If 'related' is NULL, it means that we're already parsing a header nested
- * in an ICMP error.  In this case, we skip checksum and length validation. */
+ * in an ICMP error.  In this case, we skip the checksum and some length
+ * validations. */
 static inline bool
 extract_l4(struct conn_key *key, const void *data, size_t size, bool *related,
-           const void *l3)
+           const void *l3, size_t *chk_len)
 {
     if (key->nw_proto == IPPROTO_TCP) {
         return (!related || check_l4_tcp(key, data, size, l3))
-               && extract_l4_tcp(key, data, size);
+               && extract_l4_tcp(key, data, size, chk_len);
     } else if (key->nw_proto == IPPROTO_UDP) {
         return (!related || check_l4_udp(key, data, size, l3))
-               && extract_l4_udp(key, data, size);
+               && extract_l4_udp(key, data, size, chk_len);
     } else if (key->dl_type == htons(ETH_TYPE_IP)
                && key->nw_proto == IPPROTO_ICMP) {
         return (!related || check_l4_icmp(data, size))
-               && extract_l4_icmp(key, data, size, related);
+               && extract_l4_icmp(key, data, size, related, chk_len);
     } else if (key->dl_type == htons(ETH_TYPE_IPV6)
                && key->nw_proto == IPPROTO_ICMPV6) {
         return (!related || check_l4_icmp6(key, data, size, l3))
@@ -982,7 +987,7 @@ conn_key_extract(struct conntrack *ct, struct dp_packet *pkt, ovs_be16 dl_type,
 
     if (ok) {
         if (extract_l4(&ctx->key, l4,  dp_packet_l4_size(pkt),
-                       &ctx->related, l3)) {
+                       &ctx->related, l3, NULL)) {
             ctx->hash = conn_key_hash(&ctx->key, ct->hash_basis);
             return true;
         }
diff --git a/lib/packets.h b/lib/packets.h
index 0705576..adfa86c 100644
--- a/lib/packets.h
+++ b/lib/packets.h
@@ -656,6 +656,9 @@ struct icmp_header {
 };
 BUILD_ASSERT_DECL(ICMP_HEADER_LEN == sizeof(struct icmp_header));
 
+/* ICMPV4 */
+#define ICMP_ERROR_DATA_L4_LEN 8
+
 #define IGMP_HEADER_LEN 8
 struct igmp_header {
     uint8_t igmp_type;