From 6e334e3e77bb156a9317a37500077a218a04f7a3 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Mon, 31 Aug 2020 18:59:34 +0200 Subject: ip: fix ip zero checksum verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In one's complement, there are two representations of zero: the all zero and the all one bit values, often referred to as +0 and -0. See RFC 1624 section 3 for more details. This used to be taken care of in ip4_header_checksum(), but it is no longer the case. The check ip->checksum == ip4_header_checksum (ip) is no longer correct in the -0 case. Always use ip4_header_checksum_is_valid() instead (which behaves correctly since 9a79a1ab931c3b5a7ae07d6f0fcfef7c4368a2c4). Type: fix Fixes: e5f0050c7a5d411f96af6401797529d58825e2af Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf Signed-off-by: Benoît Ganne --- src/plugins/flowprobe/node.c | 2 +- src/plugins/ioam/udp-ping/udp_ping_export.c | 4 ++-- src/plugins/map/ip4_map.c | 2 +- src/plugins/nat/nat_ipfix_logging.c | 2 +- src/plugins/ping/ping.c | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/flowprobe/node.c b/src/plugins/flowprobe/node.c index 2dd49b3f48f..a81f7a6c45b 100644 --- a/src/plugins/flowprobe/node.c +++ b/src/plugins/flowprobe/node.c @@ -598,7 +598,7 @@ flowprobe_export_send (vlib_main_t * vm, vlib_buffer_t * b0, udp->checksum = 0xffff; } - ASSERT (ip->checksum == ip4_header_checksum (ip)); + ASSERT (ip4_header_checksum_is_valid (ip)); /* Find or allocate a frame */ f = fm->context[which].frames_per_worker[my_cpu_number]; diff --git a/src/plugins/ioam/udp-ping/udp_ping_export.c b/src/plugins/ioam/udp-ping/udp_ping_export.c index d25eb1041dd..3c632c86900 100644 --- a/src/plugins/ioam/udp-ping/udp_ping_export.c +++ b/src/plugins/ioam/udp-ping/udp_ping_export.c @@ -152,7 +152,7 @@ udp_ping_send_flows (flow_report_main_t * frm, flow_report_t * fr, if (udp->checksum == 0) udp->checksum = 0xffff; - ASSERT (ip->checksum == ip4_header_checksum (ip)); + ASSERT (ip4_header_checksum_is_valid (ip)); to_next[0] = bi0; f->n_vectors++; @@ -203,7 +203,7 @@ udp_ping_send_flows (flow_report_main_t * frm, flow_report_t * fr, if (udp->checksum == 0) udp->checksum = 0xffff; - ASSERT (ip->checksum == ip4_header_checksum (ip)); + ASSERT (ip4_header_checksum_is_valid (ip)); to_next[0] = bi0; f->n_vectors++; diff --git a/src/plugins/map/ip4_map.c b/src/plugins/map/ip4_map.c index ea63901bf89..a4889627f0b 100644 --- a/src/plugins/map/ip4_map.c +++ b/src/plugins/map/ip4_map.c @@ -97,7 +97,7 @@ ip4_map_decrement_ttl (ip4_header_t * ip, u8 * error) *error = ttl <= 0 ? IP4_ERROR_TIME_EXPIRED : *error; /* Verify checksum. */ - ASSERT (ip->checksum == ip4_header_checksum (ip)); + ASSERT (ip4_header_checksum_is_valid (ip)); } static u32 diff --git a/src/plugins/nat/nat_ipfix_logging.c b/src/plugins/nat/nat_ipfix_logging.c index 3b75260148f..42252b2eb0c 100644 --- a/src/plugins/nat/nat_ipfix_logging.c +++ b/src/plugins/nat/nat_ipfix_logging.c @@ -567,7 +567,7 @@ snat_ipfix_send (u32 thread_index, flow_report_main_t * frm, udp->checksum = 0xffff; } - ASSERT (ip->checksum == ip4_header_checksum (ip)); + ASSERT (ip4_header_checksum_is_valid (ip)); vlib_put_frame_to_node (vm, ip4_lookup_node.index, f); } diff --git a/src/plugins/ping/ping.c b/src/plugins/ping/ping.c index f56f44ffb26..0ce4f9698f0 100644 --- a/src/plugins/ping/ping.c +++ b/src/plugins/ping/ping.c @@ -474,8 +474,8 @@ ip4_icmp_echo_request (vlib_main_t * vm, ip0->checksum = ip_csum_fold (sum0); ip1->checksum = ip_csum_fold (sum1); - ASSERT (ip0->checksum == ip4_header_checksum (ip0)); - ASSERT (ip1->checksum == ip4_header_checksum (ip1)); + ASSERT (ip4_header_checksum_is_valid (ip0)); + ASSERT (ip4_header_checksum_is_valid (ip1)); p0->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED; p1->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED; @@ -531,7 +531,7 @@ ip4_icmp_echo_request (vlib_main_t * vm, ip0->checksum = ip_csum_fold (sum0); - ASSERT (ip0->checksum == ip4_header_checksum (ip0)); + ASSERT (ip4_header_checksum_is_valid (ip0)); p0->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED; } -- cgit 1.2.3-korg