Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2225015/?format=api
{ "id": 2225015, "url": "http://patchwork.ozlabs.org/api/patches/2225015/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260420090026.1666597-1-amusil@redhat.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260420090026.1666597-1-amusil@redhat.com>", "list_archive_url": null, "date": "2026-04-20T09:00:24", "name": "[ovs-dev,1/3] pinctrl: Limit the IP packet size to buffer size for ICMP Need Frag.", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "06d3aba58159c90ee1055c983e7c7f3d54e27c33", "submitter": { "id": 83634, "url": "http://patchwork.ozlabs.org/api/people/83634/?format=api", "name": "Ales Musil", "email": "amusil@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260420090026.1666597-1-amusil@redhat.com/mbox/", "series": [ { "id": 500572, "url": "http://patchwork.ozlabs.org/api/series/500572/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=500572", "date": "2026-04-20T09:00:24", "name": "[ovs-dev,1/3] pinctrl: Limit the IP packet size to buffer size for ICMP Need Frag.", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500572/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225015/comments/", "check": "fail", "checks": "http://patchwork.ozlabs.org/api/patches/2225015/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=EwwL5CZa;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp2.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=EwwL5CZa", "smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com" ], "Received": [ "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzfbC5Hrcz1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 19:00:39 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id A2C6940812;\n\tMon, 20 Apr 2026 09:00:37 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id vUCnWL_XZbsl; Mon, 20 Apr 2026 09:00:36 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp2.osuosl.org (Postfix) with ESMTPS id 96F9A40024;\n\tMon, 20 Apr 2026 09:00:36 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 758CEC058E;\n\tMon, 20 Apr 2026 09:00:36 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 6B186C058D\n for <dev@openvswitch.org>; Mon, 20 Apr 2026 09:00:35 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 5D28740810\n for <dev@openvswitch.org>; Mon, 20 Apr 2026 09:00:35 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id XpmsO-ppM8wM for <dev@openvswitch.org>;\n Mon, 20 Apr 2026 09:00:34 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 6F9B34080C\n for <dev@openvswitch.org>; Mon, 20 Apr 2026 09:00:33 +0000 (UTC)", "from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-54-OqZx5DAtOba49p5UInZ92g-1; Mon,\n 20 Apr 2026 05:00:30 -0400", "from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id AA30F19560BA; Mon, 20 Apr 2026 09:00:29 +0000 (UTC)", "from amusil.redhat.com (unknown [10.44.33.221])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id E88143000C20; Mon, 20 Apr 2026 09:00:27 +0000 (UTC)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 96F9A40024", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6F9B34080C" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=amusil@redhat.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org 6F9B34080C", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776675632;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=jmreTLkrD6XdSn3KV3S2H0pUUnBrZwgvZAND9JRflgE=;\n b=EwwL5CZaJCUZ9ZGzxsrJqqq4O/w6AtzJPNF4ShsYu1xyg9nfgH+D8JWPr7Y3jb1AUWWm0L\n +A4sRRb7LA5/42AnyIbifQl9SWibzPG6Lfb5zuShgf+hn0tpR5ldR941lVVRIazNy13lZF\n OjLmRftvg9zYfFVz4wgC4WoMDjyNEc8=", "X-MC-Unique": "OqZx5DAtOba49p5UInZ92g-1", "X-Mimecast-MFC-AGG-ID": "OqZx5DAtOba49p5UInZ92g_1776675629", "To": "dev@openvswitch.org", "Date": "Mon, 20 Apr 2026 11:00:24 +0200", "Message-ID": "<20260420090026.1666597-1-amusil@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.4", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "fxxLAjhlOP4jq2MnZimV8kSniNOz28zaaBFEflQT_tA_1776675629", "X-Mimecast-Originator": "redhat.com", "Subject": "[ovs-dev] [PATCH ovn 1/3] pinctrl: Limit the IP packet size to\n buffer size for ICMP Need Frag.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "From": "Ales Musil via dev <ovs-dev@openvswitch.org>", "Reply-To": "Ales Musil <amusil@redhat.com>", "Cc": "Seiji Sakurai <Seiji.Sakurai@outlook.com>,\n Dumitru Ceara <dceara@redhat.com>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "The ICMP need frag copies part of the IP packet, which is limited by\nthe space after ICMP header. However the packet size would be taken\nfrom the IP header itself. That is problematic because we could\nreceive empty packet with the IP header packet size set to arbitrary\nnumber. To prevent that limit the size to the buffer size so we will\nnever copy more than what is in the packet data.\n\nFixes: c2339d87268d (\"ovn: Add a new OVN action 'icmp4_error'\")\nReported-by: Seiji Sakurai <Seiji.Sakurai@outlook.com>\nCo-authored-by: Seiji Sakurai <Seiji.Sakurai@outlook.com>\nAcked-by: Dumitru Ceara <dceara@redhat.com>\nSigned-off-by: Seiji Sakurai <Seiji.Sakurai@outlook.com>\nSigned-off-by: Ales Musil <amusil@redhat.com>\n---\n controller/pinctrl.c | 7 ++--\n tests/system-ovn.at | 83 ++++++++++++++++++++++++++++++++++++++++++++\n 2 files changed, 88 insertions(+), 2 deletions(-)", "diff": "diff --git a/controller/pinctrl.c b/controller/pinctrl.c\nindex 18b7b0df2..682b88b1a 100644\n--- a/controller/pinctrl.c\n+++ b/controller/pinctrl.c\n@@ -1674,7 +1674,8 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow,\n \n if (get_dl_type(ip_flow) == htons(ETH_TYPE_IP)) {\n struct ip_header *in_ip = dp_packet_l3(pkt_in);\n- uint16_t in_ip_len = ntohs(in_ip->ip_tot_len);\n+ uint16_t in_ip_len =\n+ MIN(ntohs(in_ip->ip_tot_len), dp_packet_l3_size(pkt_in));\n if (in_ip_len < IP_HEADER_LEN) {\n static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);\n VLOG_WARN_RL(&rl,\n@@ -1734,7 +1735,9 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow,\n ih->icmp_csum = csum(ih, sizeof *ih + in_ip_len);\n } else {\n struct ovs_16aligned_ip6_hdr *in_ip = dp_packet_l3(pkt_in);\n- uint16_t in_ip_len = (uint16_t) sizeof *in_ip + ntohs(in_ip->ip6_plen);\n+ uint16_t pkt_in_ip_len =\n+ (uint16_t) sizeof *in_ip + ntohs(in_ip->ip6_plen);\n+ uint16_t in_ip_len = MIN(pkt_in_ip_len, dp_packet_l3_size(pkt_in));\n \n const struct in6_addr *ip6_src =\n loopback ? &ip_flow->ipv6_dst : &ip_flow->ipv6_src;\ndiff --git a/tests/system-ovn.at b/tests/system-ovn.at\nindex 8d1f21609..06c5c4b2c 100644\n--- a/tests/system-ovn.at\n+++ b/tests/system-ovn.at\n@@ -21665,3 +21665,86 @@ OVS_TRAFFIC_VSWITCHD_STOP([\"/failed to query port patch-.*/d\n /connection dropped.*/d\"])\n AT_CLEANUP\n ])\n+\n+OVN_FOR_EACH_NORTHD([\n+AT_SETUP([ACL - ICMP unreachable heap overread])\n+AT_SKIP_IF([test $HAVE_SCAPY = no])\n+\n+ovn_start\n+\n+OVS_TRAFFIC_VSWITCHD_START()\n+ADD_BR([br-int])\n+\n+# Set external-ids in br-int needed for ovn-controller.\n+check ovs-vsctl \\\n+ -- set Open_vSwitch . external-ids:system-id=hv1 \\\n+ -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \\\n+ -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \\\n+ -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \\\n+ -- set bridge br-int fail-mode=secure other-config:disable-in-band=true\n+\n+start_daemon ovn-controller\n+\n+# Create a logical switch with a port and a reject ACL.\n+check ovn-nbctl ls-add ls1\n+check ovn-nbctl lsp-add ls1 ls1-lp1 \\\n+ -- lsp-set-addresses ls1-lp1 \"f0:00:00:00:00:01 10.0.0.4 fd10::4\"\n+\n+# Add a reject ACL: any traffic to ls1-lp1 gets ICMP Destination Unreachable.\n+check ovn-nbctl acl-add ls1 to-lport 1000 \"outport == \\\"ls1-lp1\\\"\" reject\n+\n+# We need a second port as the \"sender\".\n+check ovn-nbctl lsp-add ls1 ls1-lp2 \\\n+ -- lsp-set-addresses ls1-lp2 \"f0:00:00:00:00:02 10.0.0.5 fd10::5\"\n+\n+ADD_NAMESPACES(ls1-lp1)\n+ADD_VETH(ls1-lp1, ls1-lp1, br-int, \"fd10::4/96\", \"f0:00:00:00:00:01\", \\\n+ \"fd10::1\", \"nodad\", \"10.0.0.4/24\", \"10.0.0.1\")\n+\n+ADD_NAMESPACES(ls1-lp2)\n+ADD_VETH(ls1-lp2, ls1-lp2, br-int, \"fd10::5/96\", \"f0:00:00:00:00:02\", \\\n+ \"fd10::1\", \"nodad\", \"10.0.0.5/24\", \"10.0.0.1\")\n+\n+NETNS_START_TCPDUMP([ls1-lp2], [-nnne -i ls1-lp2 icmp or icmp6], [ls1-lp2])\n+\n+OVN_POPULATE_ARP\n+wait_for_ports_up\n+check ovn-nbctl --wait=hv sync\n+\n+# UDP but IP length claims 508 bytes while actual packet is smaller.\n+ip netns exec ls1-lp2 scapy -H <<-EOF\n+p = Ether(dst='f0:00:00:00:00:01', src='f0:00:00:00:00:02') / \\\n+ IP(src='10.0.0.5', dst='10.0.0.4', ttl=64, len=508) / \\\n+ UDP(sport=12345, dport=5050) / \\\n+ Raw(load=b'AAAA')\n+sendp (p, iface='ls1-lp2', loop = 0, verbose = 0, count = 1)\n+EOF\n+\n+# UDP but IPv6 length claims 508 bytes while actual packet is smaller.\n+ip netns exec ls1-lp2 scapy -H <<-EOF\n+p = Ether(dst='f0:00:00:00:00:01', src='f0:00:00:00:00:02') / \\\n+ IPv6(src='fd10::5', dst='fd10::4', plen=508) / \\\n+ UDP(sport=12345, dport=5050) / \\\n+ Raw(load=b'AAAA')\n+sendp (p, iface='ls1-lp2', loop = 0, verbose = 0, count = 1)\n+EOF\n+\n+OVS_WAIT_UNTIL([\n+ test \"$(grep 'unreachable' -c ls1-lp2.tcpdump)\" = \"2\"\n+])\n+\n+ip4_length=$(grep \"ICMP \" ls1-lp2.tcpdump | grep \"unreachable\" | rev | cut -d \" \" -f1 | rev)\n+ip6_length=$(grep \"ICMP6\" ls1-lp2.tcpdump | grep \"unreachable\" | rev | cut -d \" \" -f1 | rev)\n+\n+check test $ip4_length -eq 40\n+check test $ip6_length -eq 60\n+\n+OVN_CLEANUP_CONTROLLER([hv1])\n+OVN_CLEANUP_NORTHD\n+\n+as\n+OVS_TRAFFIC_VSWITCHD_STOP([\"/failed to query port patch-.*/d\n+/connection dropped.*/d\"])\n+\n+AT_CLEANUP\n+])\n", "prefixes": [ "ovs-dev", "1/3" ] }