From patchwork Mon Feb 24 23:39:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 1243716 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48RJSL1Rgnz9sPg for ; Tue, 25 Feb 2020 10:39:29 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 827BC20530; Mon, 24 Feb 2020 23:39:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WfR-jFmKsW4C; Mon, 24 Feb 2020 23:39:26 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id 31357204FE; Mon, 24 Feb 2020 23:39:26 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 201EBC07FF; Mon, 24 Feb 2020 23:39:26 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id AF716C0177 for ; Mon, 24 Feb 2020 23:39:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A571987627 for ; Mon, 24 Feb 2020 23:39:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YW6278C4c0C1 for ; Mon, 24 Feb 2020 23:39:23 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by hemlock.osuosl.org (Postfix) with ESMTPS id 8EB2F875BE for ; Mon, 24 Feb 2020 23:39:23 +0000 (UTC) X-Originating-IP: 66.170.99.95 Received: from localhost.localdomain (unknown [66.170.99.95]) (Authenticated sender: blp@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id D23C0C000F; Mon, 24 Feb 2020 23:39:19 +0000 (UTC) From: Ben Pfaff To: dev@openvswitch.org Date: Mon, 24 Feb 2020 15:39:14 -0800 Message-Id: <20200224233914.697716-1-blp@ovn.org> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH ovn] pinctrl: Fix buffer overread in pinctrl_compose_ipv6(). X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The call to packet_set_ipv6() calls into packet_rh_present(), which in turn iterates through the L3 content. Without this commit, the l4_ofs in the packet has its default value of UINT16_MAX, which means that packet_rh_present() reads well beyond the real maximum length of the IPv6 header. Reported by Address Sanitizer (actually the MLD test fails 100% of the time with Address Sanitizer without this fix, so I guess I'm the only one who uses it routinely). CC: Dumitru Ceara Fixes: 677a3ba4d66b ("ovn: Add MLD support.") Signed-off-by: Ben Pfaff Acked-by: Dumitru Ceara Acked-by: Numan Siddique --- controller/pinctrl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/controller/pinctrl.c b/controller/pinctrl.c index d06915a65173..dc8d3fd28ea0 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -3238,6 +3238,7 @@ pinctrl_compose_ipv6(struct dp_packet *packet, struct eth_addr eth_src, eh->eth_src = eth_src; eh->eth_type = htons(ETH_TYPE_IPV6); dp_packet_set_l3(packet, nh); + dp_packet_set_l4(packet, nh + 1); nh->ip6_vfc = 0x60; nh->ip6_nxt = ip_proto;