|
Line 0
Link Here
|
|
|
1 |
Source: http://openvswitch.org/pipermail/announce/2016-March/000082.html |
| 2 |
|
| 3 |
Open vSwitch 2.2.x and 2.3.x Patch |
| 4 |
================================== |
| 5 |
|
| 6 |
From: Ben Pfaff <blp at ovn.org> |
| 7 |
Date: Mon, 7 Mar 2016 15:30:39 -0800 |
| 8 |
Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets. |
| 9 |
|
| 10 |
A bug in MPLS parsing could cause a crafted MPLS packet to overflow the |
| 11 |
buffer reserved for MPLS labels in the OVS internal flow structure. This |
| 12 |
fixes the problem. |
| 13 |
|
| 14 |
This commit also fixes a secondary problem where an MPLS packet with zero |
| 15 |
labels could cause an out-of-range shift that would overwrite memory. |
| 16 |
There is no obvious way to control the data used in the overwrite, so this |
| 17 |
is harder to exploit. |
| 18 |
|
| 19 |
Vulnerability: CVE-2016-2074 |
| 20 |
Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de> |
| 21 |
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> |
| 22 |
Signed-off-by: Ben Pfaff <blp at ovn.org> |
| 23 |
Acked-by: Jesse Gross <jesse at kernel.org> |
| 24 |
|
| 25 |
--- lib/flow.c.orig 2015-06-18 19:32:47 UTC |
| 26 |
+++ lib/flow.c |
| 27 |
@@ -159,7 +159,7 @@ struct mf_ctx { |
| 28 |
|
| 29 |
/* Data at 'valuep' may be unaligned. */ |
| 30 |
#define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ |
| 31 |
-{ \ |
| 32 |
+if (N_WORDS) { \ |
| 33 |
int ofs32 = (OFS) / 4; \ |
| 34 |
\ |
| 35 |
MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ |
| 36 |
@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) |
| 37 |
break; |
| 38 |
} |
| 39 |
} |
| 40 |
- return MAX(count, FLOW_MAX_MPLS_LABELS); |
| 41 |
+ return MIN(count, FLOW_MAX_MPLS_LABELS); |
| 42 |
} |
| 43 |
|
| 44 |
static inline ovs_be16 |