We compute the length of the IPv6 header by parsing all of the
extension headers that we know about. However, the final result
is checked using ofpbuf_pull(), which checks the size with an
assertion. Since the length of the final header is not checked
in any other way an invalid packet can trigger this assertion.
---
lib/flow.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/flow.c b/lib/flow.c
index 879e462..6928f74 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -414,7 +414,7 @@ flow_extract(struct ofpbuf *packet, ovs_be64 tun_id,
uint16_t in_port,
return 0;
}
- nh = ofpbuf_pull(&b, nh_len);
+ nh = ofpbuf_try_pull(&b, nh_len);
if (nh) {
packet->l4 = b.data;
if (flow->nw_proto == IPPROTO_TCP) {
--
1.7.1
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
