[ovs-dev] [branch-2.9] Revert "flow: Fix buffer overread for crafted IPv6 packets."

Lucas Alvares Gomes lucasagomes at gmail.com
Mon Jul 16 13:34:59 UTC 2018 

Thanks Justin,

In networking-ovn (the OVN driver for OpenStack Neutron) we are seem
an IPv6 related test failure right now [0] and I can confirm that
after I've applied this patch locally and re-ran the test it works
again.

[0] http://logs.openstack.org/59/570459/2/check/networking-ovn-tempest-dsvm-ovs-release/4b5bb1d/logs/testr_results.html.gz
(the link will eventually expire)

Acked-By: Lucas Alvares Gomes <lucasagomes at gmail.com>

On Sat, Jul 14, 2018 at 9:33 PM Justin Pettit <jpettit at ovn.org> wrote:
>
> This reverts commit 0760bd61a666e9fa866fcb5ed67f48f34895d2f6.
>
> This patch was a cherry-pick from a bug fix in the master branch that
> fixed an overread for IPv6 packets.  However, the backport introduced a
> problem in older branches, since the code path is different.  In the
> master branch, this check is done on the raw packet data, which starts
> at the beginning of the IPv6 packet.  In older branches, this check is
> done after a call to data_pull(), which subtracts the IPv6 header length
> from the 'size' variable.  This means that valid IPv6 packets aren't
> being processed since the check thinks they are too long.
>
> CC: Ben Pfaff <blp at ovn.org>
> Fixes: 0760bd61a66 ("flow: Fix buffer overread for crafted IPv6 packets.")
> Signed-off-by: Justin Pettit <jpettit at ovn.org>
>
> ---
> This patch should be backported to older branches starting with branch-2.9.
> ---
>  lib/flow.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/flow.c b/lib/flow.c
> index c78f46d6c15a..f9d7c2a74007 100644
> --- a/lib/flow.c
> +++ b/lib/flow.c
> @@ -804,7 +804,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
>          nh = data_pull(&data, &size, sizeof *nh);
>
>          plen = ntohs(nh->ip6_plen);
> -        if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
> +        if (OVS_UNLIKELY(plen > size)) {
>              goto out;
>          }
>          /* Jumbo Payload option not supported yet. */
> --
> 2.17.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

More information about the dev mailing list