diff options
| author | Justin Pettit <jpettit@ovn.org> | 2018-07-14 13:17:06 -0700 |
|---|---|---|
| committer | Justin Pettit <jpettit@ovn.org> | 2018-07-16 09:20:59 -0700 |
| commit | a8201b144ca8dd830ee05f19c8591e15a204f275 (patch) | |
| tree | 24bb3a1c7ad119a32c583abb310bf7c3e49c36f7 | |
| parent | 3306543ba525cc09cd676c54e9f9584c0fd554a1 (diff) | |
| download | openvswitch-a8201b144ca8dd830ee05f19c8591e15a204f275.tar.gz | |
Revert "flow: Fix buffer overread for crafted IPv6 packets."
This reverts commit 0760bd61a666e9fa866fcb5ed67f48f34895d2f6.
This patch was a cherry-pick from a bug fix in the master branch that
fixed an overread for IPv6 packets. However, the backport introduced a
problem in older branches, since the code path is different. In the
master branch, this check is done on the raw packet data, which starts
at the beginning of the IPv6 packet. In older branches, this check is
done after a call to data_pull(), which subtracts the IPv6 header length
from the 'size' variable. This means that valid IPv6 packets aren't
being processed since the check thinks they are too long.
CC: Ben Pfaff <blp@ovn.org>
Fixes: 0760bd61a66 ("flow: Fix buffer overread for crafted IPv6 packets.")
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
| -rw-r--r-- | lib/flow.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/flow.c b/lib/flow.c index 2b4045875..5e1ec80c0 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -579,7 +579,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst) nh = data_pull(&data, &size, sizeof *nh); plen = ntohs(nh->ip6_plen); - if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { + if (OVS_UNLIKELY(plen > size)) { goto out; } /* Jumbo Payload option not supported yet. */ |