The call to packet_set_ipv6() calls into packet_rh_present(), which in
turn iterates through the L3 content.  Without this commit, the l4_ofs
in the packet has its default value of UINT16_MAX, which means that
packet_rh_present() reads well beyond the real maximum length of the
IPv6 header.

Reported by Address Sanitizer (actually the MLD test fails 100% of the
time with Address Sanitizer without this fix, so I guess I'm the only
one who uses it routinely).

CC: Dumitru Ceara <[email protected]>
Fixes: 677a3ba4d66b ("ovn: Add MLD support.")
Signed-off-by: Ben Pfaff <[email protected]>
---
 controller/pinctrl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/controller/pinctrl.c b/controller/pinctrl.c
index d06915a65173..dc8d3fd28ea0 100644
--- a/controller/pinctrl.c
+++ b/controller/pinctrl.c
@@ -3238,6 +3238,7 @@ pinctrl_compose_ipv6(struct dp_packet *packet, struct 
eth_addr eth_src,
     eh->eth_src = eth_src;
     eh->eth_type = htons(ETH_TYPE_IPV6);
     dp_packet_set_l3(packet, nh);
+    dp_packet_set_l4(packet, nh + 1);
 
     nh->ip6_vfc = 0x60;
     nh->ip6_nxt = ip_proto;
-- 
2.24.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to