Some tunnel code in OVS (for example, CAPWAP) uses the skb->cb to
store information while processing packets. However, if we don't
find an appropriate tunnel port on receive, then we send an ICMP
port unreachable message, which calls back into the IP stack. The
stack assumes that skb->cb will still contain valid information
about from the IP layer, including any IP options. As a result,
icmp_echo_options() can read the garbage values from OVS and
overwrite data on the stack, panicing the machine.
This simply stops sending ICMP messages when ports are not found.
Many people find them confusing and flow based tunneling will
never send them (since it always finds a port) so it solves both
problems at once.
Bug #14880
Reported-by: Deepesh Govindan <dgovindan@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
iph = ip_hdr(skb);
vport = ovs_tnl_find_port(sock_net(sk), iph->daddr, iph->saddr, key,
TNL_T_PROTO_CAPWAP, &mutable);
- if (unlikely(!vport)) {
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ if (unlikely(!vport))
goto error;
- }
if (key_present && mutable->key.daddr &&
!(mutable->flags & TNL_F_IN_KEY_MATCH)) {
iph = ip_hdr(skb);
vport = ovs_tnl_find_port(dev_net(skb->dev), iph->daddr, iph->saddr, key,
tunnel_type, &mutable);
- if (unlikely(!vport)) {
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ if (unlikely(!vport))
goto error;
- }
tnl_flags = gre_flags_to_tunnel_flags(mutable, gre_flags, &key);
tnl_tun_key_init(&tun_key, iph, key, tnl_flags);
iph = ip_hdr(skb);
vport = ovs_tnl_find_port(dev_net(skb->dev), iph->daddr, iph->saddr,
key, TNL_T_PROTO_VXLAN, &mutable);
- if (unlikely(!vport)) {
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ if (unlikely(!vport))
goto error;
- }
if (mutable->flags & TNL_F_IN_KEY_MATCH || !mutable->key.daddr)
tunnel_flags = OVS_TNL_F_KEY;
projects / mirror_ovs.git / commitdiff