2: fix NULL deref in l2-efp-filter for short/untagged frames #86
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In that case (e.g trying to connect on a closed port), a connection is refused and no session is allocated. As such, we cannot use the struct to obtain the worker or vlib_main_t. Type: fix Change-Id: I9b44ccb42ba56a75b8ecc39501a7386ba2e84981 Signed-off-by: Semir Sionek <ssionek@cisco.com>
To include vcl_evt code in the build, make build VPP_EXTRA_CMAKE_ARGS=-DVPP_VCL_ELOG=ON Type: fix Change-Id: I45bd093001de6e3dd4d6894726a470cf1ded952b Signed-off-by: Steven Luong <sluong@cisco.com>
Also add tests for - multi worker cl connects/binds - 2 multi worker servers binding the same port Type: improvement Change-Id: I222756b7664ffdba83cb69bb0c730526dad3065c Signed-off-by: Florin Coras <fcoras@cisco.com>
Type: fix Details: I have the situation that ip_neighbor_learn is called for an already deleted interface. The reproduction sequence is following 1. arp_input -> arp_reply on some worker 2. call ip_neighbor_learn_dp , so request to perform ip_neighbor_learn on the vpp_main thread 3. the vpp_main thread is very busy - at the same moment we remove most of l2 interfaces and vrfs under barrier sync, including the TX interface of arp_reply 4. call ip_neighbor_learn in the main thread , when the appropriate interface is already deleted Change-Id: I69b167ba919d57f19d6b941260243bca889c31c1 Signed-off-by: Anna Neiman <anna.neiman@insidepacket.com>
Type: improvement Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I035acc97abb1ce63ce09019b790ee81c803d5d90
- multiple core files support - choose correct app binary in gdb bt (before vpp only) - paltform independent solib-search-path (before x86_64 only) Type: test Change-Id: I70f48defcdfc6821e321b4b15ba95ad245407db0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
Type: fix Change-Id: Ic873cb9511cf70619722e7b0f58211ad2a2a6772 Signed-off-by: Florin Coras <fcoras@cisco.com>
For now test if binds work as expected. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3227c5b298763dd8d48ef1bf4858cb66df9aeafd
This implements the HTTP PUT request with the ability to stream the data in chunks, rather than sending the entire request body at once. Type: feature Change-Id: Ib04103a4bacf76a3c0bf9483a63a2edb693276c6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Type: feature Change-Id: I42e94b6282fa693d3c69f938ec9d3a290b71b9fa Signed-off-by: Matus Fabian <matfabia@cisco.com>
When using the save-to arg, the http client saves the body of the response to file. With the current mechanism it would allocate a buffer as big as the body (up to the limit), iteratively fill it and dump everything (along with the headers) into the file. This would limit how big of a response can be saved due to memory constraints and settings, as well as not reproduce it accurately (e.g the file would need to be trimmed from the saved headers. With the new approach, if the response is too big for the max-body-size settings, we reduce the buffer size to the fifo size, fill it up and write it to file. We keep the file pointer and write to it, until we have the response fully saved. The headers are now being displayed through the cli, similarly to the verbose mode. Type: improvement Change-Id: I6a72749bc9c1175aba7769d83984d1d4a40ee9f0 Signed-off-by: Semir Sionek <ssionek@cisco.com>
Try to drop locks if interrupted with locks grabbed. Type: fix Change-Id: I8d4996b6f35a8a2610327fb11e80e9951808b535 Signed-off-by: Florin Coras <fcoras@cisco.com>
VCL doesn't work with musl. Type: improvement Change-Id: I5cb69da680dc98d14d88e340b4db6b5a8584ff23 Signed-off-by: Damjan Marion <damarion@cisco.com>
format full path into variable, null terminate and free it after use in hc_session_connected_callback Type: fix Change-Id: I3ed64dd247bf5ac9af8fa65517b6308a98205fd4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
Print response status and headers as vectors. Type: fix Change-Id: I7321776e4914c139d85cd3f45ee67afd0850caee Signed-off-by: Florin Coras <fcoras@cisco.com>
- changed to 5001, CalicoVPP uses port 5000 Type: test Change-Id: Ic45c613d684685f21e49612c4e6454c302bbabb6 Signed-off-by: Adrian Villin <avillin@cisco.com>
Change-Id: I920bef41426c10a4560cc3e923ca747054a5aeec Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
Breaks non-glibc builds... Type: improvement Change-Id: If48a444ff358ef85973504795c06287269ed5c55 Signed-off-by: Damjan Marion <damarion@cisco.com>
Client can receive response (error) from server while still sending body bytes, handle this as exception in state machine instead of error. Type: improvement Change-Id: I6aa3f7f5aaa299ac781109dd75295a7eb3a42cf9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
For mt single vcl worker apps, only guard vcl session pool, as opposed to vls pool, to allow workers to perform updates. Also convert spool mutex into rwlock and make sure all operations that interact with vcl session pools grab at least the reader lock. Type: improvement Change-Id: Ief41912bc84881772d2279cd84dabb983a91b4cb Signed-off-by: Florin Coras <fcoras@cisco.com>
Type: test Change-Id: I30a2541bda71aae4cbf2be76f428d23309470631 Signed-off-by: Florin Coras <fcoras@cisco.com>
Client app pass path as data bytes and length, not null terminated string. Fix also msg.data.target_path_len value in http client and http cli client, set it to string length not vec_len. Type: fix Change-Id: Icab6d830812bbfc2e6df82564d6d087476769111 Signed-off-by: Matus Fabian <matfabia@cisco.com>
- make sure all params are present in both create and add/del listener - rename max-body-size to max-req-body-size as it should be easier to glean the purpose of the config Type: refactor Change-Id: I0f30eebe0b001e48ff640552396087e5da35334d Signed-off-by: Florin Coras <fcoras@cisco.com>
Avoid potential deadlock if app is sigtermed and wants workers lock to cleanup worker while reattaching. Type: improvement Change-Id: I97f5935d309de83717e5a0a82055c91e07c4cb17 Signed-off-by: Florin Coras <fcoras@cisco.com>
This patch enables async processing support for SSL clients. Type: improvement Change-Id: I8d9462b439ff6e0962ee30cb8b596a2744a1aa33 Signed-off-by: Varun Rapelly <vrapelly@marvell.com>
Type: improvement Change-Id: I4609c3a89c4df0883aa25f07623dad68c539d70d Signed-off-by: Matus Fabian <matfabia@cisco.com>
Make sure taps have multiple queues and consistent qp mode enabled. Type: test Change-Id: Icf00290fad1934adcbfcfe56530d37f0793b0bca Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Matus Fabian <matfabia@cisco.com>
- we can now build master CalicoVPP with master VPP using: 'make setup-cluster BASE=master' - TODO: docs, use the same VPP build in CalicoVPP as in HST images (so that VPP isn't built twice) Type: test Change-Id: If5ba154a2f6868db04c17742f4e531269e57a56e Signed-off-by: Adrian Villin <avillin@cisco.com>
Type: improvement Change-Id: I5e582e6fec972d6d61683a7a76c2a3f222a9030b Signed-off-by: Matus Fabian <matfabia@cisco.com>
The added feature enables the GRE plugin to create tunnels between the same endpoints, distinguishing them by the "key" value. It uses the standard 'key' parameter in the GRE header. Changes have been made to add support for CLI and API to create tunnels with a "key" value. The CLI syntax is as follows: create gre tunnel src src_IP_Address dst dst_IP_Address key key_value All existing GRE functionalities, such as tunnel type and mode, remain unchanged. GRE key support has been implemented for all non-ERSPAN tunnel types, including both IPv4 and IPv6. Additionally, modifications were made to the GRE packet header, data structure, and inbound/outbound packet processing to accommodate key configuration through CLI and API. Type: feature Change-Id: I222d585007fa264e7cc12c79d6ba9c63c044f133 Signed-off-by: Masih Nilforoush <m.nilforoush@x-ion.de>
Change-Id: I855c394262b275d1f98d9bce1a3cd4a2411d88f7 Type: improvement Signed-off-by: Damjan Marion <damarion@cisco.com>
Type: improvement Change-Id: I8b509b3eb03b4df2972e73aeec4771190652171b Signed-off-by: Damjan Marion <damarion@cisco.com>
Type: fix Change-Id: I5096d3869134af4f696b2ee9be605a9d049202d4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
- separated cluster tests from hs-test and moved them into test-c/kube-test - cleaned up kube-test and hs-test - kube-test setup-cluster.sh improvements - Makefile in extras/hs-test is temporary - kube-test stability improvements Type: test Change-Id: Iee9fc732ccd303d4b4635d329f673c03f95a4dd4 Signed-off-by: Adrian Villin <avillin@cisco.com>
print flags and h2 request variables like window size on hi vebosity Type: improvement Change-Id: Ibfa73fe9d04745078c0ae0efa79cd4cb521433b9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
Type: improvement Change-Id: I073f78b29ab32d0d9f4447813acc684b6576f264 Signed-off-by: Damjan Marion <damarion@cisco.com>
Type: improvement
To enable debugging information in vpp_daq, one needs to pass:
--daq-var debug
daq_vpp: daq_vpp_instantiate: creating instance 1 out of 2 with input vpp0
daq_vpp: daq_vpp_socket_connect: connecting to socket /run/vpp/snort.sock
daq_vpp: daq_vpp_socket_connect: connected to socket /run/vpp/snort.sock
daq_vpp: daq_vpp_request: send msg: { type: CONNECT, connect: { num_snort_instances: 2, daq_version: 3.0.2
daq_vpp: daq_vpp_request: recv msg: { err: 0, connect: { num_bpools: 2 } }
daq_vpp: daq_vpp_request: send msg: { type: GET_BUFFER_POOL, get_buffer_pool: { buffer_pool_index: 0 } }
daq_vpp: daq_vpp_request: recv msg: { err: 0, get_buffer_pool: { size: 320864256 } }
daq_vpp: daq_vpp_request: send msg: { type: GET_BUFFER_POOL, get_buffer_pool: { buffer_pool_index: 1 } }
daq_vpp: daq_vpp_request: recv msg: { err: 0, get_buffer_pool: { size: 320864256 } }
daq_vpp: daq_vpp_request: send msg: { type: GET_INPUT, get_input: { input_name: "vpp0" } }
daq_vpp: daq_vpp_request: recv msg: { err: 0, get_input: { input_index: 0, num_qpairs: 2, shm_size: 61440
daq_vpp: daq_vpp_request: send msg: { type: ATTACH_QPAIR, attach_qpair: { input_index: 0, qpair_index: 0 }
daq_vpp: daq_vpp_request: recv msg: { err: 0, attach_qpair: { qpair_id: { thread_id: 0, queue_id: 0 }, log
daq_vpp: daq_vpp_find_or_add_input: input vpp0 qpair 0.0: size 1024, hdr 0x7f01543bc000, enq 0x7f01543c208
daq_vpp: daq_vpp_request: send msg: { type: ATTACH_QPAIR, attach_qpair: { input_index: 0, qpair_index: 1 }
daq_vpp: daq_vpp_request: recv msg: { err: 0, attach_qpair: { qpair_id: { thread_id: 1, queue_id: 0 }, log
daq_vpp: daq_vpp_find_or_add_input: input vpp0 qpair 1.0: size 1024, hdr 0x7f01543c3080, enq 0x7f01543c910
daq_vpp: daq_vpp_add_qpair_to_instance: qpair 0.0 added to instance 1
daq_vpp: daq_vpp_instantiate: creating instance 2 out of 2 with input vpp0
daq_vpp: daq_vpp_add_qpair_to_instance: qpair 1.0 added to instance 2
daq_vpp: daq_vpp_get_msg_pool_info: getting msg pool info
daq_vpp: daq_vpp_get_msg_pool_info: getting msg pool info
daq_vpp: daq_vpp_ioctl: ioctl cmd DIOCTL_GET_PRIV_DATA_LEN
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I33bfbf50999bdf7658a5710da239bb0d1c4ca787
- add encode / decode macros for consistency across quic engine implementations - debug code cleanup Type: refactor Change-Id: I7d0412b78a7555dbd346c4cfee56481effe054a5 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Type: feature Change-Id: Iaa1df805417e1997dca44e588f84e6a7daff56c7 Signed-off-by: Monendra Singh Kushwaha <kmonendra@marvell.com>
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: Iffc86d9a59a86c3acf3959ef4eb66c5379c8d659
Type: make Change-Id: I6bd6df968577a4b5335f0604e02c2ea05d938355 Signed-off-by: Damjan Marion <damarion@cisco.com>
- caching calico images in local registry - updated calico config template Type: test Change-Id: I9f1b3b1301914c4e44e7963f9fdfe6a5dd7ddd2a Signed-off-by: Adrian Villin <avillin@cisco.com>
client_index inside vapi message is an opaque cookie. client_index in vapi is just index inside sockclnt_create/sockclnt_delete messages. Type: fix Change-Id: Id06ff078788994d6c426e85e5ce08a259e236bc0 Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
Type: fix - Use irt->is_tunnel flag to properly detect IPSec tunnel mode SAs - Skip IP address verification for IPSec tunnel mode (outer IP already validated) Change-Id: Icd57b699b745f764e7e87bbbb4cf891e82320f37 Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
Change-Id: I2753b5b200791130b83fa07b0fa731e636f79252 Signed-off-by: Mihut Aronovici <aronovic@cisco.com> Type: improvement
Close the new session. Type: fix Change-Id: I5cc231b68e7da9c9c459bab1706490ac18cfeabc Signed-off-by: Florin Coras <fcoras@cisco.com>
Fifo ooo_deq is used when peeking. Consequently, when migrating a udp session already scheduled for sending, the owner thread will read corrupted data. Overload enq/deq rbtrees instead. Type: fix Change-Id: I5bf25355f64513911a349e42c056b3a9b6eb3523 Signed-off-by: Florin Coras <fcoras@cisco.com>
Type: improvement This patch implements support for retrieving private data length via ioctl. The private data pointer is set in the message header, and when Snort processes the packet, it can request the length of this private data through the ioctl interface. Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I02a831557b349bab7c9c8fe2e00cd8b085d3e5f7
test_send_buffer was originally supposed to be used for assembling dgrams with included data buffer offsets. As we decided on using segments, this is not needed. Type: fix Change-Id: I3cdbfc077aefeecc44615cb93f7d9f3274b6b5fb Signed-off-by: Semir Sionek <ssionek@cisco.com>
Do not program tx evt on passive open when session is closed Type: fix Change-Id: Iddf1e40689caf87e1846534c58b0d42f07ca046e Signed-off-by: Matus Fabian <matfabia@cisco.com>
Type: test Change-Id: I6514cad1349c65a4ae79e657a3d64d380ce1c1e4 Signed-off-by: Adrian Villin <avillin@cisco.com>
Do not print handshake times for UDP, include total dgram sent/received/loss percentage statistics. Type: improvement Change-Id: I67df73d56b2971c8fddd757fceef76c0f208aed4 Signed-off-by: Semir Sionek <ssionek@cisco.com>
Type: fix Change-Id: Ic6f02e47cd7f83d3ac0f273b9bff5c6c1d8d5a43 Signed-off-by: Florin Coras <fcoras@cisco.com> Signed-off-by: Steven Luong <sluong@cisco.com>
Type: docs Change-Id: I53fedf2157cef54e124d6793c4ccd258f03319d4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Type: fix Fixes: 344dab5 Code which tries to avoid removing multicast routes prematurely or adding them multiple times causes problems when lcp-sync is enabled. At the time the decision is made whether this is the first interface address added, multiple addresses may already configured on the VPP interface. This causes the route to not be added. Retain the check which avoids premature removal and remove the one which tries to avoid adding the route multiple times. Adding the route more than once is innocuous. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I2a29f87db5ba97e847a6e29ad2283386b1f1dc7b (cherry picked from commit bf44024)
Type: docs Change-Id: Ie23ca86195e04c50249763db5d24138650cea965 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
Thank you so much for your interest! VPP takes patches at https://gerrit.fd.io/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem:
VPP may crash in l2-efp-filter with a SIGSEGV (faulting address 0x0) in the post-rewrite EFP filter path.
Observed backtrace example:
received signal SIGSEGV ... faulting address 0x0
#0 l2_efp_filter_node_fn_hsw ... (libvnet.so.25.10)
#1 vlib_main ...
Root Cause:
Two unsafe assumptions in the post-rewrite EFP filter processing:
extract_keys() always reads h0[0] and h0[1] (outer/inner VLAN headers) without verifying that the packet actually contains enough VLAN headers / bytes in the buffer.
eth_vlan_table_lookups() may return hi == NULL for some inputs, and the code then calls eth_identify_subint(hi, ...), which can dereference NULL and crash.
Fix:
This patch hardens l2_efp_filter.c in two places:
Make extract_keys() safe
Initialize outer_id / inner_id to 0 by default.
Validate l2_len and current_length.
Clamp bytes-after-ethernet to what is actually available in the buffer.
Derive VLAN tag count safely and cap it to max 2 tags.
Only read VLAN headers when tag_num >= 1/2.
Guard eth_identify_subint()
Introduce safe_eth_identify_subint() wrapper.
If hi == NULL, avoid calling eth_identify_subint() and force a mismatch (set subint_sw_if_index = ~0), so the packet is dropped by the existing EFP filter logic instead of crashing.
Behavior / Impact:
No behavior change for valid packets and normal configurations.
For malformed/short frames or unexpected lookup results, VPP no longer crashes; packets are handled safely (typically dropped by EFP filter as intended).
Testing
Generated traffic on VLAN subinterfaces (e.g., .2000) and verified packets traverse l2-efp-filter without triggering a crash.
Verified l2-efp-filter counters increment and post-rewrite drop counter behaves as expected for mismatches.