Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Due to the use of a uint8_t to index inside the DNS payload we could end up in an infinite loop when specific (invalid) DNS packets were processed by ovn-controller. In the infinite loop we keep increasing the query_name dynamic string until running out of memory. One way to replicate the issue is to configure DNS on the logical switch and then inject a manually crafted DNS-like packet. For example, with Scapy: >>> p = IP(dst='10.0.0.2',src='10.0.0.3')/UDP(dport=53)/('a'*364) >>> send(p) Also add a sanity check on minimum L4 size of packets. Cherry-picked from ovn commit - 7fbdeaa. CC: Numan Siddique <nusiddiq@redhat.com> Fixes: 16cb4fb ("ovn-controller: Add 'dns_lookup' action") Reported-at: https://bugzilla.redhat.com/1740335 Reported-by: Priscila <pveiga@redhat.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
- Loading branch information