[openvswitch.git] / pvepatches / CVE-2016-2074.patch

From: Ben Pfaff <blp at ovn.org>
Date: Mon, 7 Mar 2016 15:30:39 -0800
Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets.

A bug in MPLS parsing could cause a crafted MPLS packet to overflow the
buffer reserved for MPLS labels in the OVS internal flow structure.  This
fixes the problem.

This commit also fixes a secondary problem where an MPLS packet with zero
labels could cause an out-of-range shift that would overwrite memory.
There is no obvious way to control the data used in the overwrite, so this
is harder to exploit.

Vulnerability: CVE-2016-2074
Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Acked-by: Jesse Gross <jesse at kernel.org>
---
 lib/flow.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/flow.c b/lib/flow.c
index 52a384e..61a66ec 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -159,7 +159,7 @@ struct mf_ctx {
 
 /* Data at 'valuep' may be unaligned. */
 #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS)          \
-{                                                               \
+if (N_WORDS) {                                                  \
     int ofs32 = (OFS) / 4;                                      \
                                                                         \
     MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0     \
@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep)
             break;
         }
     }
-    return MAX(count, FLOW_MAX_MPLS_LABELS);
+    return MIN(count, FLOW_MAX_MPLS_LABELS);
 }
 
 static inline ovs_be16
-- 
2.1.3
Commit	Line	Data
9c6c8e85 WB	1	From: Ben Pfaff <blp at ovn.org>
	2	Date: Mon, 7 Mar 2016 15:30:39 -0800
	3	Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets.
	4
	5	A bug in MPLS parsing could cause a crafted MPLS packet to overflow the
	6	buffer reserved for MPLS labels in the OVS internal flow structure. This
	7	fixes the problem.
	8
	9	This commit also fixes a secondary problem where an MPLS packet with zero
	10	labels could cause an out-of-range shift that would overwrite memory.
	11	There is no obvious way to control the data used in the overwrite, so this
	12	is harder to exploit.
	13
	14	Vulnerability: CVE-2016-2074
	15	Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
	16	Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
	17	Signed-off-by: Ben Pfaff <blp at ovn.org>
	18	Acked-by: Jesse Gross <jesse at kernel.org>
	19	---
	20	lib/flow.c \| 6 +++---
	21	1 file changed, 3 insertions(+), 3 deletions(-)
	22
	23	diff --git a/lib/flow.c b/lib/flow.c
	24	index 52a384e..61a66ec 100644
	25	--- a/lib/flow.c
	26	+++ b/lib/flow.c
	27	@@ -1,5 +1,5 @@
	28	/*
	29	- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
	30	+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc.
	31	*
	32	* Licensed under the Apache License, Version 2.0 (the "License");
	33	* you may not use this file except in compliance with the License.
	34	@@ -159,7 +159,7 @@ struct mf_ctx {
	35
	36	/* Data at 'valuep' may be unaligned. */
	37	#define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \
	38	-{ \
	39	+if (N_WORDS) { \
	40	int ofs32 = (OFS) / 4; \
	41	\
	42	MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \
	43	@@ -210,7 +210,7 @@ parse_mpls(void *datap, size_t sizep)
	44	break;
	45	}
	46	}
	47	- return MAX(count, FLOW_MAX_MPLS_LABELS);
	48	+ return MIN(count, FLOW_MAX_MPLS_LABELS);
	49	}
	50
	51	static inline ovs_be16
	52	--
	53	2.1.3
	54