[ovs-dev] [PATCH 1/2] flow: Fix buffer overread for crafted IPv6 packets.

Ben Pfaff blp at ovn.org
Mon Jul 9 20:04:03 UTC 2018

The ipv6_sanity_check() function implemented a check for IPv6 payload
length wrong: ip6_plen is the payload length but this function checked
whether it was longer than the total length of IPv6 header plus payload.
This meant that a packet with a crafted ip6_plen could result in a buffer
overread of up to the length of an IPv6 header (40 bytes).

The kernel datapath flow extraction code does not obviously have a similar

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
Signed-off-by: Ben Pfaff <blp at ovn.org>
 lib/flow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/flow.c b/lib/flow.c
index a785e63a82f3..76a8b9aaeaae 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
     plen = ntohs(nh->ip6_plen);
-    if (OVS_UNLIKELY(plen > size)) {
+    if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
         return false;
     /* Jumbo Payload option not supported yet. */

More information about the dev mailing list