From patchwork Fri Sep 21 18:25:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 973394 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42H29F3svnz9s47 for ; Sat, 22 Sep 2018 04:26:09 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 434321095; Fri, 21 Sep 2018 18:26:06 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DD3561028 for ; Fri, 21 Sep 2018 18:26:04 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4A6577C6 for ; Fri, 21 Sep 2018 18:26:04 +0000 (UTC) X-Originating-IP: 208.91.3.26 Received: from sigabrt.benpfaff.org (unknown [208.91.3.26]) (Authenticated sender: blp@ovn.org) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 0B7A420002; Fri, 21 Sep 2018 18:26:00 +0000 (UTC) From: Ben Pfaff To: dev@openvswitch.org Date: Fri, 21 Sep 2018 11:25:55 -0700 Message-Id: <20180921182555.20362-1-blp@ovn.org> X-Mailer: git-send-email 2.16.1 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ben Pfaff Subject: [ovs-dev] [PATCH] flow: Fix uninitialized flow fields in IPv6 error case. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org When parse_ipv6_ext_hdrs__() returned false, half a 64-bit word had been pushed into the miniflow and the second half was left uninitialized. This commit fixes the problem. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10518 Signed-off-by: Ben Pfaff Reviewed-by: Yifeng Sun --- lib/flow.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/flow.c b/lib/flow.c index 128f64083ac7..bffee70ab55b 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -868,11 +868,6 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst) } tc_flow = get_16aligned_be32(&nh->ip6_flow); - { - ovs_be32 label = tc_flow & htonl(IPV6_LABEL_MASK); - miniflow_push_be32(mf, ipv6_label, label); - } - nw_tos = ntohl(tc_flow) >> 20; nw_ttl = nh->ip6_hlim; nw_proto = nh->ip6_nxt; @@ -880,6 +875,12 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst) if (!parse_ipv6_ext_hdrs__(&data, &size, &nw_proto, &nw_frag)) { goto out; } + + /* This needs to be after the parse_ipv6_ext_hdrs__() call because it + * leaves the nw_frag word uninitialized. */ + ASSERT_SEQUENTIAL(ipv6_label, nw_frag); + ovs_be32 label = tc_flow & htonl(IPV6_LABEL_MASK); + miniflow_push_be32(mf, ipv6_label, label); } else { if (dl_type == htons(ETH_TYPE_ARP) || dl_type == htons(ETH_TYPE_RARP)) {