[ovs-git] [openvswitch/ovs] fafbfa: ofp-util: Fix buffer overread in ofputil_pull_queu...

GitHub noreply at github.com
Thu May 25 21:24:48 UTC 2017


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: fafbfa6ea46911aeb0083f166fed215ca71e22b6
      https://github.com/openvswitch/ovs/commit/fafbfa6ea46911aeb0083f166fed215ca71e22b6
  Author: Ben Pfaff <blp at ovn.org>
  Date:   2017-05-25 (Thu, 25 May 2017)

  Changed paths:
    M lib/ofp-util.c

  Log Message:
  -----------
  ofp-util: Fix buffer overread in ofputil_pull_queue_get_config_reply10().

msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
large number at the end of the loop.

Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Acked-by: Greg Rose <gvrose8192 at gmail.com>


  Commit: 13f4d25a6aa086306bc65752b3232a5091fbf3ea
      https://github.com/openvswitch/ovs/commit/13f4d25a6aa086306bc65752b3232a5091fbf3ea
  Author: Ben Pfaff <blp at ovn.org>
  Date:   2017-05-25 (Thu, 25 May 2017)

  Changed paths:
    M ovn/controller/pinctrl.c

  Log Message:
  -----------
  pinctrl: Be more careful in parsing DHCPv6 and DNS.

pinctrl_handle_put_dhcpv6_opts() and pinctrl_handle_dns_lookup() were not
checking that a full UDP header was present before reading its udp_len
field.  This patch fixes the problem.

I don't think that the system as a whole, as normally installed, was
exploitable.  This is because pinctrl processes a packet sent to it from
ovs-vswitchd.  ovs-vswitchd only sends it UDPv6 DHCPv6 packets.  To
determine that the packets are DHCPv6, ovs-vswitchd has to see its UDP port
numbers are those for DHCPv6, and it's only going to see that if an entire
UDP header is present.  Therefore, this part of pinctrl will only ever
process a packet for which udp_len is there.

I believe that pinctrl_handle_dns_lookup() is similar.

Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Acked-by: Greg Rose <gvrose8192 at gmail.com>


Compare: https://github.com/openvswitch/ovs/compare/b95d82bf931b...13f4d25a6aa0


More information about the git mailing list