From patchwork Tue Mar 22 13:03:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Pettit X-Patchwork-Id: 602695 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3qYs5W2qmVz9sB6 for ; Tue, 29 Mar 2016 11:26:23 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id AC238105B1; Mon, 28 Mar 2016 17:26:22 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 87D8410597 for ; Mon, 28 Mar 2016 17:26:21 -0700 (PDT) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id 15A0A1E0515 for ; Mon, 28 Mar 2016 18:26:21 -0600 (MDT) X-ASG-Debug-ID: 1459211180-09eadd36100f060001-byXFYA Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com with ESMTP id TZJQjSKUvY7yte2g (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 28 Mar 2016 18:26:20 -0600 (MDT) X-Barracuda-Envelope-From: jpettit@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2 Received: from unknown (HELO relay6-d.mail.gandi.net) (217.70.183.198) by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 29 Mar 2016 00:26:20 -0000 Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at ovn.org designates 217.70.183.198 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.198 X-Barracuda-RBL-IP: 217.70.183.198 Received: from mfilter33-d.gandi.net (mfilter33-d.gandi.net [217.70.178.164]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id E2E14FB89F; Tue, 29 Mar 2016 02:26:18 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter33-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter33-d.gandi.net (mfilter33-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id Vc-BtsFBKHdv; Tue, 29 Mar 2016 02:26:17 +0200 (CEST) X-Originating-IP: 208.91.2.4 Received: from localhost.localdomain (unknown [208.91.2.4]) (Authenticated sender: jpettit@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id A90C6FB877; Tue, 29 Mar 2016 02:26:16 +0200 (CEST) X-CudaMail-Envelope-Sender: jpettit@ovn.org From: Justin Pettit To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E2-327082985 X-CudaMail-DTE: 032816 X-CudaMail-Originating-IP: 217.70.183.198 Date: Tue, 22 Mar 2016 06:03:43 -0700 X-ASG-Orig-Subj: [##CM-E2-327082985##][PATCH 1/3] flow: Fix buffer overflow for crafted MPLS packets. Message-Id: <1458651825-102084-1-git-send-email-jpettit@ovn.org> X-Mailer: git-send-email 1.9.1 X-Barracuda-Connect: UNKNOWN[192.168.24.2] X-Barracuda-Start-Time: 1459211180 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH 1/3] flow: Fix buffer overflow for crafted MPLS packets. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" From: Ben Pfaff A bug in MPLS parsing could cause a crafted MPLS packet to overflow the buffer reserved for MPLS labels in the OVS internal flow structure. This fixes the problem. This commit also fixes a secondary problem where an MPLS packet with zero labels could cause an out-of-range shift that would overwrite memory. There is no obvious way to control the data used in the overwrite, so this is harder to exploit. Vulnerability: CVE-2016-2074 Reported-by: Kashyap Thimmaraju Reported-by: Bhargava Shastry Signed-off-by: Ben Pfaff Acked-by: Jesse Gross --- lib/flow.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/flow.c b/lib/flow.c index 52a384e..61a66ec 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -159,7 +159,7 @@ struct mf_ctx { /* Data at 'valuep' may be unaligned. */ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS) \ -{ \ +if (N_WORDS) { \ int ofs32 = (OFS) / 4; \ \ MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0 \ @@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep) break; } } - return MAX(count, FLOW_MAX_MPLS_LABELS); + return MIN(count, FLOW_MAX_MPLS_LABELS); } static inline ovs_be16