Derivation cases of CVE-2020-35498:
1. invalid ipv4 header total-length field
2. invalid ipv6 header payload-length field
These may cause unwanted flow to send to datapath.
Signed-off-by: Faicker Mo <faicker...@ucloud.cn>
---
lib/flow.c | 11 +++++------
tests/classifier.at | 42 ++++++++++++++++++++++++++++++++++++++++++
tests/ofp-print.at | 2 +-
3 files changed, 48 insertions(+), 7 deletions(-)
diff --git a/lib/flow.c b/lib/flow.c
index c3a3aa3ce..d96d02213 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -662,9 +662,8 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
return false;
}
- tot_len = ntohs(nh->ip_tot_len);
- if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
- size - tot_len > UINT16_MAX)) {
+ tot_len = MIN(size, ntohs(nh->ip_tot_len));
+ if (OVS_UNLIKELY(ip_len > tot_len || size - tot_len > UINT16_MAX)) {
COVERAGE_INC(miniflow_extract_ipv4_pkt_len_error);
return false;
}
@@ -700,7 +699,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh,
size_t size)
return false;
}
- plen = ntohs(nh->ip6_plen);
+ plen = MIN(size - sizeof *nh, ntohs(nh->ip6_plen));
if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
COVERAGE_INC(miniflow_extract_ipv6_pkt_len_error);
return false;
@@ -920,7 +919,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow
*dst)
}
data_pull(&data, &size, sizeof *nh);
- plen = ntohs(nh->ip6_plen);
+ plen = MIN(size, ntohs(nh->ip6_plen));
dp_packet_set_l2_pad_size(packet, size - plen);
size = plen; /* Never pull padding. */
@@ -1197,7 +1196,7 @@ parse_tcp_flags(struct dp_packet *packet,
}
data_pull(&data, &size, sizeof *nh);
- plen = ntohs(nh->ip6_plen); /* Never pull padding. */
+ plen = MIN(size, ntohs(nh->ip6_plen)); /* Never pull padding. */
dp_packet_set_l2_pad_size(packet, size - plen);
size = plen;
const struct ovs_16aligned_ip6_frag *frag_hdr;
diff --git a/tests/classifier.at b/tests/classifier.at
index de2705653..1a1615bb5 100644
--- a/tests/classifier.at
+++ b/tests/classifier.at
@@ -418,6 +418,7 @@ ovs-ofctl: "conjunction" actions may be used along with
"note" but not any other
OVS_VSWITCHD_STOP
AT_CLEANUP
+AT_BANNER([flow classifier abnormal packet])
# Flow classifier a packet with excess of padding.
AT_SETUP([flow classifier - packet with extra padding])
OVS_VSWITCHD_START
@@ -453,3 +454,44 @@ Datapath actions: 2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
+
+dnl Flow classifier a packet with invalid total-length field of ipv4 header
+AT_SETUP([flow classifier - packet with invalid total-length field of ipv4
header])
+OVS_VSWITCHD_START
+add_of_ports br0 1 2
+AT_DATA([flows.txt], [dnl
+priority=5,ip,ip_dst=1.1.1.1,actions=1
+priority=5,ip,ip_dst=1.1.1.2,actions=2
+priority=0,actions=drop
+])
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+packet=00000000000000000000000008004500003c00010000401176ac0101010101010102003500350008fb4f
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
+dnl the problem flow,
+dnl Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=0.0.0.0/8,nw_frag=no
+dnl Datapath actions: drop
+AT_CHECK([tail -2 stdout], [0],
+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+OVS_VSWITCHD_STOP
+AT_CLEANUP
+
+dnl Flow classifier a packet with invalid payload-length field of ipv4 header
+AT_SETUP([flow classifier - packet with invalid payload-length field of ipv6
header])
+OVS_VSWITCHD_START
+add_of_ports br0 1 2
+AT_DATA([flows.txt], [dnl
+priority=5,ipv6,ipv6_dst=1::1,actions=1
+priority=5,ipv6,ipv6_dst=1::2,actions=2
+priority=0,actions=drop
+])
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+packet=00000000000000000000000086dd60000000001e11400001000000000000000000000000000100010000000000000000000000000002003500350008ff6f
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
+AT_CHECK([tail -2 stdout], [0],
+ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,ipv6_dst=1::2,nw_frag=no
+Datapath actions: 2
+])
+OVS_VSWITCHD_STOP
+AT_CLEANUP
diff --git a/tests/ofp-print.at b/tests/ofp-print.at
index 14aa55416..0c786a542 100644
--- a/tests/ofp-print.at
+++ b/tests/ofp-print.at
@@ -3151,7 +3151,7 @@ AT_CHECK([ovs-ofctl ofp-print "
], [0], [dnl
NXT_PACKET_IN2 (xid=0x0): table_id=7 cookie=0xfedcba9876543210 total_len=64
metadata=0x5a5a5a5a5a5a5a5a (via action) data_len=48 buffer=0x00000114
userdata=01.02.03.04.05
-ip,dl_vlan=80,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=80:81:81:81:81:81,dl_dst=82:82:82:82:82:82,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no
+tcp,dl_vlan=80,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=80:81:81:81:81:81,dl_dst=82:82:82:82:82:82,nw_src=83.83.83.83,nw_dst=84.84.84.84,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no,tp_src=0,tp_dst=0,tcp_flags=0
])
AT_CLEANUP
--
2.31.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
