-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: don't access TCP flags for non initial IPv4 fragments #13908
Conversation
test-me-please |
When dealing with IPv4 fragmented packets, only the first fragment will contain the L4 header. In ct_lookup4() the packet's TCP flags are tested without checking first if the packet is an initial fragment/not fragmented, which may lead to incorrectly treating the l4 payload of the non initial IPv4 fragments as TCP flags. This commit fixes this. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
test-me-please |
By looking at the test results and at the CI dashboard I think |
retest-4.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch!
Was it #13011 maybe? If it looks different, please open a CI flake issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thanks a lot for fixing this!
Yep, looks about the same :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, good catch 🚀 🥳
Note for future backports this caused complexity issues on 1.8, see #13951 (comment) and https://cilium.slack.com/archives/C7PE7V806/p1605016684205600. |
I'm not re-adding |
When dealing with IPv4 fragmented packets, only the first fragment will
contain the L4 header.
In ct_lookup4() the packet's TCP flags are tested without checking first
if the packet is an initial fragment/not fragmented, which may lead to
incorrectly treating the l4 payload of the non initial IPv4 fragments as
TCP flags.
This commit fixes this.