Re: [ovs-dev] [PATCH v2 ovn] lflow: fix possible use-after-free in add_lb_vip_hairpin_reply_action
On Mon, Jul 18, 2022 at 6:48 AM Dumitru Ceara wrote:
>
> On 7/16/22 08:45, Lorenzo Bianconi wrote:
> > ofpbuf_put_zeros routine can rellocate the buffer if the requested size
> > is bigger than buffer tailroom. Reload ol pointer before running
> > ofpact_finish_LEARN in order to avoid a possible use-after-free in
> > add_lb_vip_hairpin_reply_action routine.
> >
> > Fixes: 022ea339c8 ("lflow: Use learn() action to generate LB hairpin reply
> > flows.")
> > Signed-off-by: Lorenzo Bianconi
> > ---
> > Changes since v1:
> > - rely on ofpbuf_at_assert in order to not overwrite possible former actions
> > ---
>
> Looks good to me, thanks!
>
> Acked-by: Dumitru Ceara
>
Thanks. I applied this patch to the main branch and backported to
branch-22.06. I will be backporting to branch-22.03 soon (running
tests).
Numan
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v2 ovn] lflow: fix possible use-after-free in add_lb_vip_hairpin_reply_action
On 7/16/22 08:45, Lorenzo Bianconi wrote:
> ofpbuf_put_zeros routine can rellocate the buffer if the requested size
> is bigger than buffer tailroom. Reload ol pointer before running
> ofpact_finish_LEARN in order to avoid a possible use-after-free in
> add_lb_vip_hairpin_reply_action routine.
>
> Fixes: 022ea339c8 ("lflow: Use learn() action to generate LB hairpin reply
> flows.")
> Signed-off-by: Lorenzo Bianconi
> ---
> Changes since v1:
> - rely on ofpbuf_at_assert in order to not overwrite possible former actions
> ---
Looks good to me, thanks!
Acked-by: Dumitru Ceara
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v2 ovn] lflow: fix possible use-after-free in add_lb_vip_hairpin_reply_action
ofpbuf_put_zeros routine can rellocate the buffer if the requested size
is bigger than buffer tailroom. Reload ol pointer before running
ofpact_finish_LEARN in order to avoid a possible use-after-free in
add_lb_vip_hairpin_reply_action routine.
Fixes: 022ea339c8 ("lflow: Use learn() action to generate LB hairpin reply
flows.")
Signed-off-by: Lorenzo Bianconi
---
Changes since v1:
- rely on ofpbuf_at_assert in order to not overwrite possible former actions
---
controller/lflow.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/controller/lflow.c b/controller/lflow.c
index 934b23698..6055097b5 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -1775,6 +1775,7 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6,
ovs_be32 vip,
uint64_t cookie, struct ofpbuf *ofpacts)
{
struct match match = MATCH_CATCHALL_INITIALIZER;
+size_t ol_offset = ofpacts->size;
struct ofpact_learn *ol = ofpact_put_LEARN(ofpacts);
struct ofpact_learn_spec *ol_spec;
unsigned int imm_bytes;
@@ -1928,6 +1929,8 @@ add_lb_vip_hairpin_reply_action(struct in6_addr *vip6,
ovs_be32 vip,
src_imm = ofpbuf_put_zeros(ofpacts, OFPACT_ALIGN(imm_bytes));
memcpy(src_imm, _reg_value, imm_bytes);
+/* Reload ol pointer since ofpacts buffer can be reallocated. */
+ol = ofpbuf_at_assert(ofpacts, ol_offset, sizeof *ol);
ofpact_finish_LEARN(ofpacts, );
}
--
2.36.1
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
