1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From: Ben Pfaff <blp@ovn.org>
Date: Mon, 7 Mar 2016 15:30:39 -0800
Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets.
A bug in MPLS parsing could cause a crafted MPLS packet to overflow the
buffer reserved for MPLS labels in the OVS internal flow structure. This
fixes the problem.
This commit also fixes a secondary problem where an MPLS packet with zero
labels could cause an out-of-range shift that would overwrite memory.
There is no obvious way to control the data used in the overwrite, so this
is harder to exploit.
Vulnerability: CVE-2016-2074
Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju@sec.t-labs.tu-berlin.de>
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
---
lib/flow.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/flow.c b/lib/flow.c
index 52a384e..61a66ec 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -159,7 +159,7 @@ struct mf_ctx {
/* Data at 'valuep' may be unaligned. */
#define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \
-{ \
+if (N_WORDS) { \
int ofs32 = (OFS) / 4; \
\
MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \
@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep)
break;
}
}
- return MAX(count, FLOW_MAX_MPLS_LABELS);
+ return MIN(count, FLOW_MAX_MPLS_LABELS);
}
static inline ovs_be16
--
2.1.3
|
