[ovs-dev] [PATCH 1/2] flow: Fix buffer overread for crafted IPv6 packets.

Ben Pfaff blp at ovn.org
Tue Jul 10 04:45:13 UTC 2018


Yeah, that's always a risk.

I applied this to master and backported as far as branch-2.4.

On Mon, Jul 09, 2018 at 08:13:16PM -0700, Darrell Ball wrote:
> Acked-by: Darrell Ball <dlu998 at gmail.com>
> 
> I never read the contents of that function; just assumed it was sanitizing
> the packet :-)
> 
> On Mon, Jul 9, 2018 at 1:04 PM, Ben Pfaff <blp at ovn.org> wrote:
> 
> > The ipv6_sanity_check() function implemented a check for IPv6 payload
> > length wrong: ip6_plen is the payload length but this function checked
> > whether it was longer than the total length of IPv6 header plus payload.
> > This meant that a packet with a crafted ip6_plen could result in a buffer
> > overread of up to the length of an IPv6 header (40 bytes).
> >
> > The kernel datapath flow extraction code does not obviously have a similar
> > problem.
> >
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
> > Signed-off-by: Ben Pfaff <blp at ovn.org>
> > ---
> >  lib/flow.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/flow.c b/lib/flow.c
> > index a785e63a82f3..76a8b9aaeaae 100644
> > --- a/lib/flow.c
> > +++ b/lib/flow.c
> > @@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr
> > *nh, size_t size)
> >      }
> >
> >      plen = ntohs(nh->ip6_plen);
> > -    if (OVS_UNLIKELY(plen > size)) {
> > +    if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
> >          return false;
> >      }
> >      /* Jumbo Payload option not supported yet. */
> > --
> > 2.16.1
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >


More information about the dev mailing list