mbox series

[ovs-dev,v4,0/3] bug fix: avoid install bad dp flow

Message ID 2021112123191459526248@chinatelecom.cn
Headers show
Series bug fix: avoid install bad dp flow | expand

Message

Cheng Li Nov. 21, 2021, 3:19 p.m. UTC 
Version 4:
  - Cover case where tcp_hdrlen > tcp_pkt_size
  - Other small adjustments

ovs may install bad datapath flow when meet malformed pkts. As a
result, it may allows some unwanted pkts pass. This could be a point
of attack.

lic121 (3):
  upcall: prevent from installing flows when inconsistence
  tests: fix packet data endianness
  upcall: considering dataofs when parsing tcp pkt

 lib/flow.c                    | 20 ++++++++++-------
 ofproto/ofproto-dpif-upcall.c | 26 +++++++++++++++++++---
 tests/flowgen.py              |  2 +-
 tests/ofproto-dpif.at         | 50 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 86 insertions(+), 12 deletions(-)

--
1.8.3.1

Comments

Ilya Maximets Dec. 4, 2021, 12:16 a.m. UTC | #1 
On 11/21/21 16:19, lic121 wrote:
> Version 4:
>   - Cover case where tcp_hdrlen > tcp_pkt_size
>   - Other small adjustments
> 
> ovs may install bad datapath flow when meet malformed pkts. As a
> result, it may allows some unwanted pkts pass. This could be a point
> of attack.
> 
> lic121 (3):
>   upcall: prevent from installing flows when inconsistence
>   tests: fix packet data endianness
>   upcall: considering dataofs when parsing tcp pkt
> 
>  lib/flow.c                    | 20 ++++++++++-------
>  ofproto/ofproto-dpif-upcall.c | 26 +++++++++++++++++++---
>  tests/flowgen.py              |  2 +-
>  tests/ofproto-dpif.at         | 50 +++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 86 insertions(+), 12 deletions(-)
> 

Thanks for the new version!  With some small cosmetic changes
I applied patches #2 and #3.  Also backported down to all
supported branches (down to 2.13).  This should fix the main
parsing problem.

And I found the patch that actually broke the parsing more
than 7 years ago:
  5a51b2cd3483 ("lib/ofpbuf: Remove 'l7' pointer.")

I added it to the 'Fixes' tag in the patch #3.

I didn't actually look closely to the patch #1 yet, so I'll
need to get back to it a bit later.

Best regards, Ilya Maximets.
Cheng Li Dec. 7, 2021, 1:10 a.m. UTC | #2 
>On 11/21/21 16:19, lic121 wrote:
>> Version 4:
>>   - Cover case where tcp_hdrlen > tcp_pkt_size
>>   - Other small adjustments
>> 
>> ovs may install bad datapath flow when meet malformed pkts. As a
>> result, it may allows some unwanted pkts pass. This could be a point
>> of attack.
>> 
>> lic121 (3):
>>   upcall: prevent from installing flows when inconsistence
>>   tests: fix packet data endianness
>>   upcall: considering dataofs when parsing tcp pkt
>> 
>>  lib/flow.c                    | 20 ++++++++++-------
>>  ofproto/ofproto-dpif-upcall.c | 26 +++++++++++++++++++---
>>  tests/flowgen.py              |  2 +-
>>  tests/ofproto-dpif.at         | 50 +++++++++++++++++++++++++++++++++++++++++++
>>  4 files changed, 86 insertions(+), 12 deletions(-)
>> 
>
>Thanks for the new version!  With some small cosmetic changes
>I applied patches #2 and #3.  Also backported down to all
>supported branches (down to 2.13).  This should fix the main
>parsing problem.
>
>And I found the patch that actually broke the parsing more
>than 7 years ago:
>  5a51b2cd3483 ("lib/ofpbuf: Remove 'l7' pointer.")
>
>I added it to the 'Fixes' tag in the patch #3.
>
>I didn't actually look closely to the patch #1 yet, so I'll
>need to get back to it a bit later.
>
Thanks for review the patches. Yes, the #3 patch fixs the main problem.
The #1 patch is important as well. Without patch #1, 
we will have to keep an key on every patch, which affects flow parsing, to prevent it from breaking the consistentance between kmod and vswitchd.
>Best regards, Ilya Maximets.
>