datapath-windows: Add validations for IP_HEADER_LEN

author Shashank Ram <rams@vmware.com>

Thu, 15 Jun 2017 22:15:47 +0000 (15:15 -0700)

committer Gurucharan Shetty <guru@ovn.org>

Thu, 22 Jun 2017 19:32:41 +0000 (12:32 -0700)
author Shashank Ram <rams@vmware.com>
Thu, 15 Jun 2017 22:15:47 +0000 (15:15 -0700)
committer Gurucharan Shetty <guru@ovn.org>
Thu, 22 Jun 2017 19:32:41 +0000 (12:32 -0700)
diff --git a/datapath-windows/ovsext/Flow.c b/datapath-windows/ovsext/Flow.c

index 60f9b1c602430ef53ceaf4b186456f513b987ca4..852a22fe65784751336ced7d3e34ef6700d5e695 100644 (file)
--- a/datapath-windows/ovsext/Flow.c
+++ b/datapath-windows/ovsext/Flow.c
@@ -2141,6 +2141,9 @@ OvsExtractLayers(const NET_BUFFER_LIST *packet,
                      }
                  }
              }
+        } else {
+            /* Invalid network header */
+            return NDIS_STATUS_INVALID_PACKET;
          }
      } else if (dlType == htons(ETH_TYPE_IPV6)) {
          NDIS_STATUS status;
@@ -2360,8 +2363,10 @@ OvsExtractFlow(const NET_BUFFER_LIST *packet,
                  }
              }
          } else {
+            /* Invalid network header */
              ((UINT64 *)ipKey)[0] = 0;
              ((UINT64 *)ipKey)[1] = 0;
+            return NDIS_STATUS_INVALID_PACKET;
          }
      } else if (flow->l2.dlType == htons(ETH_TYPE_IPV6)) {
          NDIS_STATUS status;
diff --git a/datapath-windows/ovsext/Offload.c b/datapath-windows/ovsext/Offload.c

index 65d3b67445b8b82eee33900360720181b56807c5..0905c8057bb2a8faae7c26508661791d78039b75 100644 (file)
--- a/datapath-windows/ovsext/Offload.c
+++ b/datapath-windows/ovsext/Offload.c
@@ -563,6 +563,9 @@ OvsValidateIPChecksum(PNET_BUFFER_LIST curNbl,
              if (checksum != hdrChecksum) {
                  return NDIS_STATUS_FAILURE;
              }
+        } else {
+            /* Invalid network header */
+            return NDIS_STATUS_FAILURE;
          }
      }
      return NDIS_STATUS_SUCCESS;
diff --git a/datapath-windows/ovsext/PacketParser.h b/datapath-windows/ovsext/PacketParser.h

index f1d7f283d0bb58e120566b6545053c10047ed31d..0d5c0a6cb420afefccf41c9d18f2a118df7f6890 100644 (file)
--- a/datapath-windows/ovsext/PacketParser.h
+++ b/datapath-windows/ovsext/PacketParser.h
@@ -17,6 +17,8 @@
  #ifndef __PACKET_PARSER_H_
  #define __PACKET_PARSER_H_ 1
  
+#define MIN_IPV4_HLEN 20
+
  #include "precomp.h"
  #include "NetProto.h"
  
@@ -107,7 +109,12 @@ OvsGetIp(const NET_BUFFER_LIST *packet,
      const IPHdr *ip = OvsGetPacketBytes(packet, sizeof *ip, ofs, storage);
      if (ip) {
          int ipLen = ip->ihl * 4;
-        if (ipLen >= sizeof *ip && OvsPacketLenNBL(packet) >= ofs + ipLen) {
+        if (ipLen <  MIN_IPV4_HLEN ||
+                ipLen > MAX_IPV4_HLEN ||
+                OvsPacketLenNBL(packet) < ofs + ipLen) {
+           /* IP header is invalid, flag it */
+           return NULL;
+        } else {
              return ip;
          }
      }
diff --git a/datapath-windows/ovsext/Stt.c b/datapath-windows/ovsext/Stt.c

index 1f368358ab517299a3ee1fab2b44970cb3c5508a..676cf0c3ee287ce001bb5571770afe030c3d67d9 100644 (file)
--- a/datapath-windows/ovsext/Stt.c
+++ b/datapath-windows/ovsext/Stt.c
@@ -1019,7 +1019,7 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
                  innerIpHdr->check = IPChecksum((UINT8 *)innerIpHdr,
                                                  innerIpHdr->ihl * 4, 0);
              } else {
-                status = NDIS_STATUS_RESOURCES;
+                status = NDIS_STATUS_INVALID_PACKET;
                  goto dropNbl;
              }
          } else if (layers.isIPv6) {
diff --git a/datapath-windows/ovsext/User.c b/datapath-windows/ovsext/User.c

index 78802200f13d36e68551092962c200a7eebce0dd..22ee7afe23dbdf53c1f62030263f202e2c127214 100644 (file)
--- a/datapath-windows/ovsext/User.c
+++ b/datapath-windows/ovsext/User.c
@@ -465,6 +465,11 @@ OvsExecuteDpIoctl(OvsPacketExecute *execute)
      ndisStatus = OvsExtractFlow(pNbl, execute->inPort, &key, &layers,
                       tempTunKey.tunKey.dst == 0 ? NULL : &tempTunKey.tunKey);
  
+    if (ndisStatus != NDIS_STATUS_SUCCESS) {
+        /* Invalid network header */
+        goto dropit;
+    }
+
      ctx = (POVS_BUFFER_CONTEXT)NET_BUFFER_LIST_CONTEXT_DATA_START(pNbl);
      ctx->mru = execute->mru;
  
diff --git a/datapath-windows/ovsext/Vxlan.c b/datapath-windows/ovsext/Vxlan.c

index 427f31c55e8866cce4568de47157d7a6f0ef0425..f66a7e57fceacafbbcd2af8fad6370a3c182f91a 100644 (file)
--- a/datapath-windows/ovsext/Vxlan.c
+++ b/datapath-windows/ovsext/Vxlan.c
@@ -489,7 +489,8 @@ OvsSlowPathDecapVxlan(const PNET_BUFFER_LIST packet,
          if (nh) {
              layers.l4Offset = layers.l3Offset + nh->ihl * 4;
          } else {
-            break;
+           status = NDIS_STATUS_INVALID_PACKET;
+           break;
          }
  
          /* make sure it's a VXLAN packet */
author	Shashank Ram <rams@vmware.com>
	Thu, 15 Jun 2017 22:15:47 +0000 (15:15 -0700)
committer	Gurucharan Shetty <guru@ovn.org>
	Thu, 22 Jun 2017 19:32:41 +0000 (12:32 -0700)
datapath-windows/ovsext/Flow.c		patch \| blob \| blame \| history
datapath-windows/ovsext/Offload.c		patch \| blob \| blame \| history
datapath-windows/ovsext/PacketParser.h		patch \| blob \| blame \| history
datapath-windows/ovsext/Stt.c		patch \| blob \| blame \| history
datapath-windows/ovsext/User.c		patch \| blob \| blame \| history
datapath-windows/ovsext/Vxlan.c		patch \| blob \| blame \| history