On 3/31/26 4:53 PM, Ilya Maximets wrote:
> On 3/31/26 4:39 PM, Aaron Conole wrote:
>> There is a buffer size calculation issue in replace_string that can
>> result in a heap overflow with a specially crafted FTP packet. This
>> is a result of integer truncation when downscaling from size_t into
>> uint8_t size. Correct this by setting the types to size_t until the
>> underlying memmove to keep the sizes intact.
>>
>> The total_size, substr_size, and rep_str_size are expected to all be
>> sane values for the memmove, and modify_packet also expects this, so
>> document that as well. In the case of FTP, those are enforced in
>> repl_ftp_v*_addr at the checks for MAX_FTP_V*_NAT_DELTA, and the
>> packet data itself should be sanitized by the ovs_strlcpy that runs
>> early to extract a string of appropriate length.
>>
>> Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
>> Reported-by: Seiji Sakurai <[email protected]>
>> Signed-off-by: Aaron Conole <[email protected]>
>> ---
>
> Thanks, Aaron! As agreed, I'll work on applying this to all supported
> branches and preparing releases, assuming CI passes. Will send release
> patches shortly.
Applied to all branches down to 3.3. Will follow up with the releases soon.
Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
