The ipv6_sanity_check() function implemented a check for IPv6 payload
length wrong: ip6_plen is the payload length but this function checked
whether it was longer than the total length of IPv6 header plus payload.
This meant that a packet with a crafted ip6_plen could result in a buffer
overread of up to the length of an IPv6 header (40 bytes).
The kernel datapath flow extraction code does not obviously have a similar
problem.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Darrell Ball <dlu998@gmail.com>
}
plen = ntohs(nh->ip6_plen);
- if (OVS_UNLIKELY(plen > size)) {
+ if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
return false;
}
/* Jumbo Payload option not supported yet. */