The ipv6_sanity_check() function implemented a check for IPv6 payload length wrong: ip6_plen is the payload length but this function checked whether it was longer than the total length of IPv6 header plus payload. This meant that a packet with a crafted ip6_plen could result in a buffer overread of up to the length of an IPv6 header (40 bytes).
The kernel datapath flow extraction code does not obviously have a similar problem. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287 Signed-off-by: Ben Pfaff <[email protected]> --- lib/flow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/flow.c b/lib/flow.c index a785e63a82f3..76a8b9aaeaae 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size) } plen = ntohs(nh->ip6_plen); - if (OVS_UNLIKELY(plen > size)) { + if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { return false; } /* Jumbo Payload option not supported yet. */ -- 2.16.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
