flow: Fix buffer overread for crafted IPv6 packets.

The ipv6_sanity_check() function implemented a check for IPv6 payload length wrong: ip6_plen is the payload length but this function checked whether it was longer than the total length of IPv6 header plus payload. This meant that a packet with a crafted ip6_plen could result in a buffer overread of up to the length of an IPv6 header (40 bytes). The kernel datapath flow extraction code does not obviously have a similar problem. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Darrell Ball <dlu998@gmail.com>
openvswitch · Jul 10, 2018 · 487a8ac · 487a8ac
1 parent 4af6da3
commit 487a8ac
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/flow.c b/lib/flow.c
@@ -693,7 +693,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
         nh = data_pull(&data, &size, sizeof *nh);
 
         plen = ntohs(nh->ip6_plen);
-        if (OVS_UNLIKELY(plen > size)) {
+        if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
             goto out;
         }
         /* Jumbo Payload option not supported yet. */