Revert "flow: Fix buffer overread for crafted IPv6 packets."

This reverts commit 0760bd61a666e9fa866fcb5ed67f48f34895d2f6. This patch was a cherry-pick from a bug fix in the master branch that fixed an overread for IPv6 packets. However, the backport introduced a problem in older branches, since the code path is different. In the master branch, this check is done on the raw packet data, which starts at the beginning of the IPv6 packet. In older branches, this check is done after a call to data_pull(), which subtracts the IPv6 header length from the 'size' variable. This means that valid IPv6 packets aren't being processed since the check thinks they are too long. CC: Ben Pfaff <blp@ovn.org> Fixes: 0760bd61a66 ("flow: Fix buffer overread for crafted IPv6 packets.") Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-By: Lucas Alvares Gomes <lucasagomes@gmail.com>
openvswitch · Jul 16, 2018 · 2fe3d5d · 2fe3d5d
1 parent 1550bba
commit 2fe3d5d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/flow.c b/lib/flow.c
@@ -693,7 +693,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
         nh = data_pull(&data, &size, sizeof *nh);
 
         plen = ntohs(nh->ip6_plen);
-        if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
+        if (OVS_UNLIKELY(plen > size)) {
             goto out;
         }
         /* Jumbo Payload option not supported yet. */