[ovs-dev] [PATCH] datapath-windows: Add validations for IP_HEADER_LEN

Guru Shetty guru at ovn.org
Thu Jun 22 19:33:16 UTC 2017 

On 15 June 2017 at 15:15, Shashank Ram <rams at vmware.com> wrote:

> Adds validations in OvsGetIp() to make sure the IHL is
> within valid bounds. If IHL is invalid, then the packet
> is dropped by the callers of this function.
>
> Signed-off-by: Shashank Ram <rams at vmware.com>
>
Applied, thanks.

> ---
>  datapath-windows/ovsext/Flow.c         | 5 +++++
>  datapath-windows/ovsext/Offload.c      | 3 +++
>  datapath-windows/ovsext/PacketParser.h | 9 ++++++++-
>  datapath-windows/ovsext/Stt.c          | 2 +-
>  datapath-windows/ovsext/User.c         | 5 +++++
>  datapath-windows/ovsext/Vxlan.c        | 3 ++-
>  6 files changed, 24 insertions(+), 3 deletions(-)
>
> diff --git a/datapath-windows/ovsext/Flow.c b/datapath-windows/ovsext/
> Flow.c
> index 60f9b1c..852a22f 100644
> --- a/datapath-windows/ovsext/Flow.c
> +++ b/datapath-windows/ovsext/Flow.c
> @@ -2141,6 +2141,9 @@ OvsExtractLayers(const NET_BUFFER_LIST *packet,
>                      }
>                  }
>              }
> +        } else {
> +            /* Invalid network header */
> +            return NDIS_STATUS_INVALID_PACKET;
>          }
>      } else if (dlType == htons(ETH_TYPE_IPV6)) {
>          NDIS_STATUS status;
> @@ -2360,8 +2363,10 @@ OvsExtractFlow(const NET_BUFFER_LIST *packet,
>                  }
>              }
>          } else {
> +            /* Invalid network header */
>              ((UINT64 *)ipKey)[0] = 0;
>              ((UINT64 *)ipKey)[1] = 0;
> +            return NDIS_STATUS_INVALID_PACKET;
>          }
>      } else if (flow->l2.dlType == htons(ETH_TYPE_IPV6)) {
>          NDIS_STATUS status;
> diff --git a/datapath-windows/ovsext/Offload.c b/datapath-windows/ovsext/
> Offload.c
> index 65d3b67..0905c80 100644
> --- a/datapath-windows/ovsext/Offload.c
> +++ b/datapath-windows/ovsext/Offload.c
> @@ -563,6 +563,9 @@ OvsValidateIPChecksum(PNET_BUFFER_LIST curNbl,
>              if (checksum != hdrChecksum) {
>                  return NDIS_STATUS_FAILURE;
>              }
> +        } else {
> +            /* Invalid network header */
> +            return NDIS_STATUS_FAILURE;
>          }
>      }
>      return NDIS_STATUS_SUCCESS;
> diff --git a/datapath-windows/ovsext/PacketParser.h
> b/datapath-windows/ovsext/PacketParser.h
> index f1d7f28..0d5c0a6 100644
> --- a/datapath-windows/ovsext/PacketParser.h
> +++ b/datapath-windows/ovsext/PacketParser.h
> @@ -17,6 +17,8 @@
>  #ifndef __PACKET_PARSER_H_
>  #define __PACKET_PARSER_H_ 1
>
> +#define MIN_IPV4_HLEN 20
> +
>  #include "precomp.h"
>  #include "NetProto.h"
>
> @@ -107,7 +109,12 @@ OvsGetIp(const NET_BUFFER_LIST *packet,
>      const IPHdr *ip = OvsGetPacketBytes(packet, sizeof *ip, ofs, storage);
>      if (ip) {
>          int ipLen = ip->ihl * 4;
> -        if (ipLen >= sizeof *ip && OvsPacketLenNBL(packet) >= ofs +
> ipLen) {
> +        if (ipLen <  MIN_IPV4_HLEN ||
> +                ipLen > MAX_IPV4_HLEN ||
> +                OvsPacketLenNBL(packet) < ofs + ipLen) {
> +           /* IP header is invalid, flag it */
> +           return NULL;
> +        } else {
>              return ip;
>          }
>      }
> diff --git a/datapath-windows/ovsext/Stt.c b/datapath-windows/ovsext/Stt.c
> index 1f36835..676cf0c 100644
> --- a/datapath-windows/ovsext/Stt.c
> +++ b/datapath-windows/ovsext/Stt.c
> @@ -1019,7 +1019,7 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
>                  innerIpHdr->check = IPChecksum((UINT8 *)innerIpHdr,
>                                                  innerIpHdr->ihl * 4, 0);
>              } else {
> -                status = NDIS_STATUS_RESOURCES;
> +                status = NDIS_STATUS_INVALID_PACKET;
>                  goto dropNbl;
>              }
>          } else if (layers.isIPv6) {
> diff --git a/datapath-windows/ovsext/User.c b/datapath-windows/ovsext/
> User.c
> index 7880220..22ee7af 100644
> --- a/datapath-windows/ovsext/User.c
> +++ b/datapath-windows/ovsext/User.c
> @@ -465,6 +465,11 @@ OvsExecuteDpIoctl(OvsPacketExecute *execute)
>      ndisStatus = OvsExtractFlow(pNbl, execute->inPort, &key, &layers,
>                       tempTunKey.tunKey.dst == 0 ? NULL :
> &tempTunKey.tunKey);
>
> +    if (ndisStatus != NDIS_STATUS_SUCCESS) {
> +        /* Invalid network header */
> +        goto dropit;
> +    }
> +
>      ctx = (POVS_BUFFER_CONTEXT)NET_BUFFER_LIST_CONTEXT_DATA_START(pNbl);
>      ctx->mru = execute->mru;
>
> diff --git a/datapath-windows/ovsext/Vxlan.c b/datapath-windows/ovsext/
> Vxlan.c
> index 427f31c..f66a7e5 100644
> --- a/datapath-windows/ovsext/Vxlan.c
> +++ b/datapath-windows/ovsext/Vxlan.c
> @@ -489,7 +489,8 @@ OvsSlowPathDecapVxlan(const PNET_BUFFER_LIST packet,
>          if (nh) {
>              layers.l4Offset = layers.l3Offset + nh->ihl * 4;
>          } else {
> -            break;
> +           status = NDIS_STATUS_INVALID_PACKET;
> +           break;
>          }
>
>          /* make sure it's a VXLAN packet */
> --
> 2.9.3.windows.2
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list