]>
Commit | Line | Data |
---|---|---|
9c6c8e85 WB |
1 | From: Ben Pfaff <blp at ovn.org> |
2 | Date: Mon, 7 Mar 2016 15:30:39 -0800 | |
3 | Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets. | |
4 | ||
5 | A bug in MPLS parsing could cause a crafted MPLS packet to overflow the | |
6 | buffer reserved for MPLS labels in the OVS internal flow structure. This | |
7 | fixes the problem. | |
8 | ||
9 | This commit also fixes a secondary problem where an MPLS packet with zero | |
10 | labels could cause an out-of-range shift that would overwrite memory. | |
11 | There is no obvious way to control the data used in the overwrite, so this | |
12 | is harder to exploit. | |
13 | ||
14 | Vulnerability: CVE-2016-2074 | |
15 | Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de> | |
16 | Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> | |
17 | Signed-off-by: Ben Pfaff <blp at ovn.org> | |
18 | Acked-by: Jesse Gross <jesse at kernel.org> | |
19 | --- | |
20 | lib/flow.c | 6 +++--- | |
21 | 1 file changed, 3 insertions(+), 3 deletions(-) | |
22 | ||
23 | diff --git a/lib/flow.c b/lib/flow.c | |
24 | index 52a384e..61a66ec 100644 | |
25 | --- a/lib/flow.c | |
26 | +++ b/lib/flow.c | |
27 | @@ -1,5 +1,5 @@ | |
28 | /* | |
29 | - * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. | |
30 | + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc. | |
31 | * | |
32 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
33 | * you may not use this file except in compliance with the License. | |
34 | @@ -159,7 +159,7 @@ struct mf_ctx { | |
35 | ||
36 | /* Data at 'valuep' may be unaligned. */ | |
37 | #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ | |
38 | -{ \ | |
39 | +if (N_WORDS) { \ | |
40 | int ofs32 = (OFS) / 4; \ | |
41 | \ | |
42 | MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ | |
43 | @@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) | |
44 | break; | |
45 | } | |
46 | } | |
47 | - return MAX(count, FLOW_MAX_MPLS_LABELS); | |
48 | + return MIN(count, FLOW_MAX_MPLS_LABELS); | |
49 | } | |
50 | ||
51 | static inline ovs_be16 | |
52 | -- | |
53 | 2.1.3 | |
54 |