>On 11/21/21 16:19, lic121 wrote:
>> Version 4:
>> - Cover case where tcp_hdrlen > tcp_pkt_size
>> - Other small adjustments
>>
>> ovs may install bad datapath flow when meet malformed pkts. As a
>> result, it may allows some unwanted pkts pass. This could be a point
>> of attack.
>>
>> lic121 (3):
>> upcall: prevent from installing flows when inconsistence
>> tests: fix packet data endianness
>> upcall: considering dataofs when parsing tcp pkt
>>
>> lib/flow.c | 20 ++++++++++-------
>> ofproto/ofproto-dpif-upcall.c | 26 +++++++++++++++++++---
>> tests/flowgen.py | 2 +-
>> tests/ofproto-dpif.at | 50
>>+++++++++++++++++++++++++++++++++++++++++++
>> 4 files changed, 86 insertions(+), 12 deletions(-)
>>
>
>Thanks for the new version! With some small cosmetic changes
>I applied patches #2 and #3. Also backported down to all
>supported branches (down to 2.13). This should fix the main
>parsing problem.
>
>And I found the patch that actually broke the parsing more
>than 7 years ago:
> 5a51b2cd3483 ("lib/ofpbuf: Remove 'l7' pointer.")
>
>I added it to the 'Fixes' tag in the patch #3.
>
>I didn't actually look closely to the patch #1 yet, so I'll
>need to get back to it a bit later.
>
Thanks for review the patches. Yes, the #3 patch fixs the main problem.
The #1 patch is important as well. Without patch #1,
we will have to keep an key on every patch, which affects flow parsing, to
prevent it from breaking the consistentance between kmod and vswitchd.
>Best regards, Ilya Maximets.
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev