[ovs-git] [openvswitch/ovs] 36e450: flow: Fix crash on vlan packets with partial offlo...

Ilya Maximets noreply at github.com
Fri Oct 25 16:50:48 UTC 2019


  Branch: refs/heads/branch-2.11
  Home:   https://github.com/openvswitch/ovs
  Commit: 36e45049c44c7334fe1ed68d940dd07f9d5943c3
      https://github.com/openvswitch/ovs/commit/36e45049c44c7334fe1ed68d940dd07f9d5943c3
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2019-10-25 (Fri, 25 Oct 2019)

  Changed paths:
    M lib/flow.c
    M lib/flow.h

  Log Message:
  -----------
  flow: Fix crash on vlan packets with partial offloading.

parse_tcp_flags() does not care about vlan tags in a packet thus
not able to parse them.  As a result, if partial offloading is
enabled in userspace datapath vlan packets are not parsed, i.e.
has no initialized offsets.  This causes OVS crash on any attempt
to access/modify packet header fields.

For example, having the flow with following actions:
  in_port=1,ip,actions=mod_nw_src:192.168.0.7,output:IN_PORT

will lead to OVS crash on vlan packet handling:

 Process terminating with default action of signal 11 (SIGSEGV)
 Invalid read of size 4
    at 0x785657: get_16aligned_be32 (unaligned.h:249)
    by 0x785657: odp_set_ipv4 (odp-execute.c:82)
    by 0x785657: odp_execute_masked_set_action (odp-execute.c:527)
    by 0x785657: odp_execute_actions (odp-execute.c:894)
    by 0x74CDA9: dp_netdev_execute_actions (dpif-netdev.c:7355)
    by 0x74CDA9: packet_batch_per_flow_execute (dpif-netdev.c:6339)
    by 0x74CDA9: dp_netdev_input__ (dpif-netdev.c:6845)
    by 0x74DB6E: dp_netdev_input (dpif-netdev.c:6854)
    by 0x74DB6E: dp_netdev_process_rxq_port (dpif-netdev.c:4287)
    by 0x74E863: dpif_netdev_run (dpif-netdev.c:5264)
    by 0x703F57: type_run (ofproto-dpif.c:370)
    by 0x6EC8B8: ofproto_type_run (ofproto.c:1760)
    by 0x6DA52B: bridge_run__ (bridge.c:3188)
    by 0x6E083F: bridge_run (bridge.c:3252)
    by 0x1642E4: main (ovs-vswitchd.c:127)
  Address 0xc is not stack'd, malloc'd or (recently) free'd

Fix that by properly parsing vlan tags first.  Function 'parse_dl_type'
transformed for that purpose as it had no users anyway.

Fixes: aab96ec4d81e ("dpif-netdev: retrieve flow directly from the flow mark")
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>




More information about the git mailing list