Yeah, that's always a risk. I applied this to master and backported as far as branch-2.4.
On Mon, Jul 09, 2018 at 08:13:16PM -0700, Darrell Ball wrote: > Acked-by: Darrell Ball <[email protected]> > > I never read the contents of that function; just assumed it was sanitizing > the packet :-) > > On Mon, Jul 9, 2018 at 1:04 PM, Ben Pfaff <[email protected]> wrote: > > > The ipv6_sanity_check() function implemented a check for IPv6 payload > > length wrong: ip6_plen is the payload length but this function checked > > whether it was longer than the total length of IPv6 header plus payload. > > This meant that a packet with a crafted ip6_plen could result in a buffer > > overread of up to the length of an IPv6 header (40 bytes). > > > > The kernel datapath flow extraction code does not obviously have a similar > > problem. > > > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287 > > Signed-off-by: Ben Pfaff <[email protected]> > > --- > > lib/flow.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/flow.c b/lib/flow.c > > index a785e63a82f3..76a8b9aaeaae 100644 > > --- a/lib/flow.c > > +++ b/lib/flow.c > > @@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr > > *nh, size_t size) > > } > > > > plen = ntohs(nh->ip6_plen); > > - if (OVS_UNLIKELY(plen > size)) { > > + if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { > > return false; > > } > > /* Jumbo Payload option not supported yet. */ > > -- > > 2.16.1 > > > > _______________________________________________ > > dev mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
