packages/openvswitch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openvswitch/CVE-2020-35498.patch
wang_yue111 d882ff97bd fix CVE-2020-35498
2021-03-01 11:04:39 +08:00

101 lines
3.9 KiB
Diff
Raw Blame History

From 45e941a17b605cc61e7c3ed8cffed5b3a5b608a6 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Fri, 26 Feb 2021 18:20:58 +0800
Subject: [PATCH] flow: Support extra padding length.
Although not required, padding can be optionally added until
the packet length is MTU bytes. A packet with extra padding
currently fails sanity checks.
Vulnerability: CVE-2020-35498
Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.")
Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
lib/conntrack.c | 2 +-
lib/dp-packet.h | 10 +++++-----
lib/flow.c | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 47ebc8e..9a59ef6 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -688,7 +688,7 @@ static void
reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
{
char *tail = dp_packet_tail(pkt);
- uint8_t pad = dp_packet_l2_pad_size(pkt);
+ uint16_t pad = dp_packet_l2_pad_size(pkt);
struct conn_key inner_key;
const char *inner_l4 = NULL;
uint16_t orig_l3_ofs = pkt->l3_ofs;
diff --git a/lib/dp-packet.h b/lib/dp-packet.h
index 14f0897..c607247 100644
--- a/lib/dp-packet.h
+++ b/lib/dp-packet.h
@@ -76,7 +76,7 @@ struct dp_packet {
/* All the following elements of this struct are copied in a single call
* of memcpy in dp_packet_clone_with_headroom. */
- uint8_t l2_pad_size; /* Detected l2 padding size.
+ uint16_t l2_pad_size; /* Detected l2 padding size.
* Padding is non-pullable. */
uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */
uint16_t l3_ofs; /* Network-level header offset,
@@ -113,8 +113,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment);
void *dp_packet_resize_l2_5(struct dp_packet *, int increment);
static inline void *dp_packet_eth(const struct dp_packet *);
static inline void dp_packet_reset_offsets(struct dp_packet *);
-static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
-static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
static inline void *dp_packet_l2_5(const struct dp_packet *);
static inline void dp_packet_set_l2_5(struct dp_packet *, void *);
static inline void *dp_packet_l3(const struct dp_packet *);
@@ -320,14 +320,14 @@ dp_packet_reset_offsets(struct dp_packet *b)
b->l4_ofs = UINT16_MAX;
}
-static inline uint8_t
+static inline uint16_t
dp_packet_l2_pad_size(const struct dp_packet *b)
{
return b->l2_pad_size;
}
static inline void
-dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
{
ovs_assert(pad_size <= dp_packet_size(b));
b->l2_pad_size = pad_size;
diff --git a/lib/flow.c b/lib/flow.c
index e54fd2e..354b441 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -660,7 +660,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
tot_len = ntohs(nh->ip_tot_len);
if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
- size - tot_len > UINT8_MAX)) {
+ size - tot_len > UINT16_MAX)) {
return false;
}
@@ -698,8 +698,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
return false;
}
- /* Jumbo Payload option not supported yet. */
- if (OVS_UNLIKELY(size - plen > UINT8_MAX)) {
+
+ if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
return false;
}
Reference in New Issue View Git Blame Copy Permalink