FreeBSD Bugzilla – Attachment 168794 Details for
Bug 208404
[patch] net/openvswitch CVE-2016-2074
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch lib/flow.c
patch-lib_flow.c.diff (text/plain), 2.28 KB, created by
Olli Hauer
on 2016-03-30 18:24:10 UTC
(
hide
)
Description:
patch lib/flow.c
Filename:
MIME Type:
Creator:
Olli Hauer
Created:
2016-03-30 18:24:10 UTC
Size:
2.28 KB
patch
obsolete
>Index: files/patch-lib_flow.c >=================================================================== >--- files/patch-lib_flow.c (revision 0) >+++ files/patch-lib_flow.c (working copy) >@@ -0,0 +1,44 @@ >+Source: http://openvswitch.org/pipermail/announce/2016-March/000082.html >+ >+Open vSwitch 2.2.x and 2.3.x Patch >+================================== >+ >+From: Ben Pfaff <blp at ovn.org> >+Date: Mon, 7 Mar 2016 15:30:39 -0800 >+Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets. >+ >+A bug in MPLS parsing could cause a crafted MPLS packet to overflow the >+buffer reserved for MPLS labels in the OVS internal flow structure. This >+fixes the problem. >+ >+This commit also fixes a secondary problem where an MPLS packet with zero >+labels could cause an out-of-range shift that would overwrite memory. >+There is no obvious way to control the data used in the overwrite, so this >+is harder to exploit. >+ >+Vulnerability: CVE-2016-2074 >+Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de> >+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> >+Signed-off-by: Ben Pfaff <blp at ovn.org> >+Acked-by: Jesse Gross <jesse at kernel.org> >+ >+--- lib/flow.c.orig 2015-06-18 19:32:47 UTC >++++ lib/flow.c >+@@ -159,7 +159,7 @@ struct mf_ctx { >+ >+ /* Data at 'valuep' may be unaligned. */ >+ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ >+-{ \ >++if (N_WORDS) { \ >+ int ofs32 = (OFS) / 4; \ >+ \ >+ MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ >+@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) >+ break; >+ } >+ } >+- return MAX(count, FLOW_MAX_MPLS_LABELS); >++ return MIN(count, FLOW_MAX_MPLS_LABELS); >+ } >+ >+ static inline ovs_be16 > >Property changes on: files/patch-lib_flow.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=168794">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 208404
: 168794