[ovs-dev] [PATCH] flow: Fix uninitialized flow fields in IPv6 error case.

Ben Pfaff blp at ovn.org
Fri Sep 21 18:25:55 UTC 2018


When parse_ipv6_ext_hdrs__() returned false, half a 64-bit word had been
pushed into the miniflow and the second half was left uninitialized.  This
commit fixes the problem.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10518
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 lib/flow.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/flow.c b/lib/flow.c
index 128f64083ac7..bffee70ab55b 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -868,11 +868,6 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
         }
 
         tc_flow = get_16aligned_be32(&nh->ip6_flow);
-        {
-            ovs_be32 label = tc_flow & htonl(IPV6_LABEL_MASK);
-            miniflow_push_be32(mf, ipv6_label, label);
-        }
-
         nw_tos = ntohl(tc_flow) >> 20;
         nw_ttl = nh->ip6_hlim;
         nw_proto = nh->ip6_nxt;
@@ -880,6 +875,12 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
         if (!parse_ipv6_ext_hdrs__(&data, &size, &nw_proto, &nw_frag)) {
             goto out;
         }
+
+        /* This needs to be after the parse_ipv6_ext_hdrs__() call because it
+         * leaves the nw_frag word uninitialized. */
+        ASSERT_SEQUENTIAL(ipv6_label, nw_frag);
+        ovs_be32 label = tc_flow & htonl(IPV6_LABEL_MASK);
+        miniflow_push_be32(mf, ipv6_label, label);
     } else {
         if (dl_type == htons(ETH_TYPE_ARP) ||
             dl_type == htons(ETH_TYPE_RARP)) {
-- 
2.16.1



More information about the dev mailing list