On 3/31/26 4:39 PM, Aaron Conole wrote:
> There is a buffer size calculation issue in replace_string that can
> result in a heap overflow with a specially crafted FTP packet. This
> is a result of integer truncation when downscaling from size_t into
> uint8_t size. Correct this by setting the types to size_t until the
> underlying memmove to keep the sizes intact.
>
> The total_size, substr_size, and rep_str_size are expected to all be
> sane values for the memmove, and modify_packet also expects this, so
> document that as well. In the case of FTP, those are enforced in
> repl_ftp_v*_addr at the checks for MAX_FTP_V*_NAT_DELTA, and the
> packet data itself should be sanitized by the ovs_strlcpy that runs
> early to extract a string of appropriate length.
>
> Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
> Reported-by: Seiji Sakurai <[email protected]>
> Signed-off-by: Aaron Conole <[email protected]>
> ---
Thanks, Aaron! As agreed, I'll work on applying this to all supported
branches and preparing releases, assuming CI passes. Will send release
patches shortly.
Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
