flow: Fix buffer overread for crafted IPv6 packets.

The ipv6_sanity_check() function implemented a check for IPv6 payload length wrong: ip6_plen is the payload length but this function checked whether it was longer than the total length of IPv6 header plus payload. This meant that a packet with a crafted ip6_plen could result in a buffer overread of up to the length of an IPv6 header (40 bytes). The kernel datapath flow extraction code does not obviously have a similar problem. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Darrell Ball <dlu998@gmail.com>
author: Ben Pfaff <blp@ovn.org> 2018-07-09 13:04:03 -0700
committer: Ben Pfaff <blp@ovn.org> 2018-07-09 20:54:22 -0700
commit: 4fe08016068514be7a8751d86f6ad30bde344949 (patch)
tree: b71548d15878d696ad86b114e7964bde5345321c /lib
parent: f5129153e3b12c0b9ca6b355f9062d91a67d2942 (diff)
download: openvswitch-4fe08016068514be7a8751d86f6ad30bde344949.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/flow.c b/lib/flow.c
index a785e63a8..76a8b9aae 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
     }
 
     plen = ntohs(nh->ip6_plen);
-    if (OVS_UNLIKELY(plen > size)) {
+    if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
         return false;
     }
     /* Jumbo Payload option not supported yet. */
author	Ben Pfaff <blp@ovn.org>	2018-07-09 13:04:03 -0700
committer	Ben Pfaff <blp@ovn.org>	2018-07-09 20:54:22 -0700
commit	4fe08016068514be7a8751d86f6ad30bde344949 (patch)
tree	b71548d15878d696ad86b114e7964bde5345321c /lib
parent	f5129153e3b12c0b9ca6b355f9062d91a67d2942 (diff)
download	openvswitch-4fe08016068514be7a8751d86f6ad30bde344949.tar.gz