Message ID | 1458651825-102084-1-git-send-email-jpettit@ovn.org |
---|---|
State | Accepted |
Headers | show |
On Tue, Mar 22, 2016 at 06:03:43AM -0700, Justin Pettit wrote: > From: Ben Pfaff <blp@ovn.org> > > A bug in MPLS parsing could cause a crafted MPLS packet to overflow the > buffer reserved for MPLS labels in the OVS internal flow structure. This > fixes the problem. > > This commit also fixes a secondary problem where an MPLS packet with zero > labels could cause an out-of-range shift that would overwrite memory. > There is no obvious way to control the data used in the overwrite, so this > is harder to exploit. > > Vulnerability: CVE-2016-2074 > Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju@sec.t-labs.tu-berlin.de> > Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> > Signed-off-by: Ben Pfaff <blp@ovn.org> > Acked-by: Jesse Gross <jesse@kernel.org> Already acked by Jesse so I think that this one is good.
diff --git a/lib/flow.c b/lib/flow.c index 52a384e..61a66ec 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -159,7 +159,7 @@ struct mf_ctx { /* Data at 'valuep' may be unaligned. */ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ -{ \ +if (N_WORDS) { \ int ofs32 = (OFS) / 4; \ \ MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ @@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) break; } } - return MAX(count, FLOW_MAX_MPLS_LABELS); + return MIN(count, FLOW_MAX_MPLS_LABELS); } static inline ovs_be16