[ovs-git] [openvswitch/ovs] 4fe080: flow: Fix buffer overread for crafted IPv6 packets...

GitHub noreply at github.com
Tue Jul 10 04:02:09 UTC 2018


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 4fe08016068514be7a8751d86f6ad30bde344949
      https://github.com/openvswitch/ovs/commit/4fe08016068514be7a8751d86f6ad30bde344949
  Author: Ben Pfaff <blp at ovn.org>
  Date:   2018-07-09 (Mon, 09 Jul 2018)

  Changed paths:
    M lib/flow.c

  Log Message:
  -----------
  flow: Fix buffer overread for crafted IPv6 packets.

The ipv6_sanity_check() function implemented a check for IPv6 payload
length wrong: ip6_plen is the payload length but this function checked
whether it was longer than the total length of IPv6 header plus payload.
This meant that a packet with a crafted ip6_plen could result in a buffer
overread of up to the length of an IPv6 header (40 bytes).

The kernel datapath flow extraction code does not obviously have a similar
problem.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
Signed-off-by: Ben Pfaff <blp at ovn.org>
Acked-by: Darrell Ball <dlu998 at gmail.com>



      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.


More information about the git mailing list