[ovs-dev] [PATCH ovn] controller: Set check_tnl_key for BFD on tunnel ifaces.

Tue, 12 Mar 2024 05:57:30 -0700 

From: Frode Nordahl <frode.nord...@canonical.com>

The OVS BFD configuration option `check_tnl_key` controls whether
OVS should consider the tunnel key before processing BFD control
messages.  The OVN pipeline design ensures traffic originating
from a logical port will have a non-zero tunnel key.

Always set `check_tnl_key` to "true" to avoid processing of
BFD control messages originating from a logical port.

CVE-2024-2182

Signed-off-by: Dumitru Ceara <dce...@redhat.com>
Signed-off-by: Frode Nordahl <frode.nord...@canonical.com>
---
 controller/bfd.c | 3 +++
 tests/ovn.at     | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/controller/bfd.c b/controller/bfd.c
index f24bfd0638..22a8c66959 100644
--- a/controller/bfd.c
+++ b/controller/bfd.c
@@ -235,6 +235,9 @@ bfd_run(const struct ovsrec_interface_table 
*interface_table,
         if (mult) {
             smap_add(&bfd, "mult", mult);
         }
+        /* `check_tnl_key` must always be set to "true" to avoid processing of
+         * BFD control messages originating from a logical port. */
+        smap_add(&bfd, "check_tnl_key", "true");
     }
 
     /* Enable or disable bfd */
diff --git a/tests/ovn.at b/tests/ovn.at
index e87df6c8dc..0595f1167e 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -13814,7 +13814,7 @@ for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface 
name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000"
 ])
 done
 ovn-nbctl --wait=hv set NB_Global . options:"bfd-min-tx"=1500
@@ -13822,7 +13822,7 @@ for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface 
name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500"
 ])
 done
 ovn-nbctl remove NB_Global . options "bfd-min-rx"
@@ -13831,7 +13831,7 @@ for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface 
name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_tx=1500 mult=15"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=15"
 ])
 done
 
-- 
2.39.3

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to