utilities/ovs-ctl.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't monitor ipsec daemon
 For Ubuntu systemd will monitor the ovs-monitor-ipsec daemon so
 there is no need to spawn a separate monitor thread to deal with
 restarts.  Doing so has the side effect of confusing systemd into
 monitoring the wrong process.

include/openvswitch/meta-flow.h | 4 4 + 0 - 0 !
lib/meta-flow.c | 25 25 + 0 - 0 !
ofproto/ofproto-dpif-xlate.c | 8 8 + 0 - 0 !
tests/ofproto-dpif.at | 18 9 + 9 - 0 !
tests/ofproto.at | 182 182 + 0 - 0 !
tests/packet-type-aware.at | 2 1 + 1 - 0 !
6 files changed, 229 insertions(+), 10 deletions(-)

 cve-2023-1668: ofproto-dpif-xlate: always mask ip proto field.
 The ofproto layer currently treats nw_proto field as overloaded to mean
 both that a proper nw layer exists, as well as the value contained in
 the header for the nw proto.  However, this is incorrect behavior as
 relevant standards permit that any value, including '0' should be treated
 as a valid value.
 .
 Because of this overload, when the ofproto layer builds action list for
 a packet with nw_proto of 0, it won't build the complete action list that
 we expect to be built for the packet.  That will cause a bad behavior
 where all packets passing the datapath will fall into an incomplete
 action set.
 .
 The fix here is to unwildcard nw_proto, allowing us to preserve setting
 actions for protocols which we know have support for the actions we
 program.  This means that a traffic which contains nw_proto == 0 cannot
 cause connectivity breakage with other traffic on the link.

lib/classifier.c | 25 20 + 5 - 0 !
tests/classifier.at | 88 88 + 0 - 0 !
2 files changed, 108 insertions(+), 5 deletions(-)

 [patch] classifier: fix missing masks on a final stage with ports
 trie.

Flow lookup doesn't include masks of the final stage in a resulting
flow wildcards in case that stage had L4 ports match.  Only the result
of ports trie lookup is added to the mask.  It might be sufficient in
many cases, but it's not correct, because ports trie is not how we
decided that the packet didn't match in this subtable.  In fact, we
used a full subtable mask in order to determine that, so all the
subtable mask bits has to be added.

Ports trie can still be used to adjust ports' mask, but it is not
sufficient to determine that the packet didn't match.

Assuming we have following 2 OpenFlow rules on the bridge:

 table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop
 table=0, priority=0 actions=output(1)

The first high priority rule supposed to drop all the TCP data traffic
sent on port 80.  The handshake, however, is allowed for forwarding.

Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow.
Since the stage mask from that stage is not incorporated into the flow
wildcards and only ports mask is getting updated, we have the following
megaflow for the SYN packet that has no match on 'tcp_flags':

 $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn"

 Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80
 Datapath actions: 1

If this flow is getting installed into datapath flow table, all the
packets for port 80, regardless of TCP flags, will be forwarded.

Incorporating all the looked at bits from the final stage into the
stages map in order to get all the necessary wildcards.  Ports mask
has to be updated as a last step, because it doesn't cover the full
64-bit slot in the flowmap.

With this change, in the example above, OVS is producing correct
flow wildcards including match on TCP flags:

 Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh
 Datapath actions: 1

This way only -psh packets will be forwarded, as expected.

This issue affects all other fields on stage 4, not only TCP flags.
Tests included to cover tcp_flags, nd_target and ct_tp_src/dst.
First two are frequently used, ct ones are sharing the same flowmap
slot with L4 ports, so important to test.

Before the pre-computation of stage masks, flow wildcards were updated
during lookup, so there was no issue.  The bits of the final stage was
lost with introduction of 'stages_map'.

Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue.

Reported-at: https://github.com/openvswitch/ovs-issues/issues/272
Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.")
Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.")

lib/netdev-offload-tc.c | 25 20 + 5 - 0 !
tests/system-offloads-traffic.at | 33 33 + 0 - 0 !
2 files changed, 53 insertions(+), 5 deletions(-)

 cve-2023-3966 netdev-offload-tc: check geneve metadata length.
 Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve
 packet with corrupted metadata is received, because the metadata header
 is not verified correctly.
 .
 This commit adds a check for geneve metadata length and, if the header
 is wrong, the packet is not sent to flower.
 .
 It also includes a system-traffic test for geneve packets with corrupted
 metadata.
 .
Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload")
Reported-by: Haresh Khandelwal <hakhande@redhat.com>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Bug-Debian: https://bugs.debian.org/1063492