Timothy Redaelli
8 years ago
parent
c7bc7f4338
commit
abd9d8c9f0
@ -1,30 +0,0 @@
|
||||
From 7b7b186a8d40fc6f287cef2582702181da74bdc3 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Pfaff <blp@ovn.org>
|
||||
Date: Sat, 20 May 2017 16:38:24 -0700
|
||||
Subject: [PATCH] ofp-util: Fix buffer overread in
|
||||
ofputil_pull_queue_get_config_reply10().
|
||||
|
||||
msg->size isn't the relevant measurement here because we're only supposed
|
||||
to read 'len' bytes. Reading more than that causes 'len' to underflow to a
|
||||
large number at the end of the loop.
|
||||
|
||||
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
|
||||
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
||||
Acked-by: Greg Rose <gvrose8192@gmail.com>
|
||||
---
|
||||
lib/ofp-util.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
|
||||
index db27abf8bc..a6dd5dbddf 100644
|
||||
--- a/lib/ofp-util.c
|
||||
+++ b/lib/ofp-util.c
|
||||
@@ -2598,7 +2598,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
|
||||
|
||||
hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
|
||||
prop_len = ntohs(hdr->len);
|
||||
- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
|
||||
+ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
|
||||
return OFPERR_OFPBRC_BAD_LEN;
|
||||
}
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
From c562b61ed91605dc0c5790aaf2df09b566df77b6 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Pfaff <blp@ovn.org>
|
||||
Date: Fri, 3 Mar 2017 21:16:17 -0800
|
||||
Subject: [PATCH] conntrack: Fix checks for TCP, UDP, and IPv6 header sizes.
|
||||
|
||||
Otherwise a malformed packet could cause a read up to about 40 bytes past
|
||||
the end of the packet. The packet would still likely be dropped because
|
||||
of checksum verification.
|
||||
|
||||
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
|
||||
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
||||
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
|
||||
---
|
||||
lib/conntrack.c | 16 +++++++++++-----
|
||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/conntrack.c b/lib/conntrack.c
|
||||
index 9bea3d93e4..677c0d2a3c 100644
|
||||
--- a/lib/conntrack.c
|
||||
+++ b/lib/conntrack.c
|
||||
@@ -568,15 +568,15 @@ extract_l3_ipv6(struct conn_key *key, const void *data, size_t size,
|
||||
const char **new_data)
|
||||
{
|
||||
const struct ovs_16aligned_ip6_hdr *ip6 = data;
|
||||
- uint8_t nw_proto = ip6->ip6_nxt;
|
||||
- uint8_t nw_frag = 0;
|
||||
-
|
||||
if (new_data) {
|
||||
if (OVS_UNLIKELY(size < sizeof *ip6)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
+ uint8_t nw_proto = ip6->ip6_nxt;
|
||||
+ uint8_t nw_frag = 0;
|
||||
+
|
||||
data = ip6 + 1;
|
||||
size -= sizeof *ip6;
|
||||
|
||||
@@ -623,8 +623,11 @@ check_l4_tcp(const struct conn_key *key, const void *data, size_t size,
|
||||
const void *l3)
|
||||
{
|
||||
const struct tcp_header *tcp = data;
|
||||
- size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4;
|
||||
+ if (size < sizeof *tcp) {
|
||||
+ return false;
|
||||
+ }
|
||||
|
||||
+ size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4;
|
||||
if (OVS_UNLIKELY(tcp_len < TCP_HEADER_LEN || tcp_len > size)) {
|
||||
return false;
|
||||
}
|
||||
@@ -637,8 +640,11 @@ check_l4_udp(const struct conn_key *key, const void *data, size_t size,
|
||||
const void *l3)
|
||||
{
|
||||
const struct udp_header *udp = data;
|
||||
- size_t udp_len = ntohs(udp->udp_len);
|
||||
+ if (size < sizeof *udp) {
|
||||
+ return false;
|
||||
+ }
|
||||
|
||||
+ size_t udp_len = ntohs(udp->udp_len);
|
||||
if (OVS_UNLIKELY(udp_len < UDP_HEADER_LEN || udp_len > size)) {
|
||||
return false;
|
||||
}
|
||||
@ -1,46 +0,0 @@
|
||||
From 6180d2a53ac63e9e11c945e438faffceee30f6a1 Mon Sep 17 00:00:00 2001
|
||||
From: Timothy Redaelli <tredaelli@redhat.com>
|
||||
Date: Mon, 5 Jun 2017 15:28:38 +0200
|
||||
Subject: [PATCH] tests: Export PYTHONCOERCECLOCALE=0 for python3 tests
|
||||
|
||||
This patch exports PYTHONCOERCECLOCALE=0 when you have Python3 tests
|
||||
enabled.
|
||||
This is needed since testsuite forces LC_ALL=C and Python 3, with PEP 538,
|
||||
prints the following warning on stderr:
|
||||
|
||||
"Python runtime initialized with LC_CTYPE=C (a locale with default ASCII
|
||||
encoding), which may cause Unicode compatibility problems. Using C.UTF-8,
|
||||
C.utf8, or UTF-8 (if available) as alternative Unicode-compatible locales is
|
||||
recommended."
|
||||
|
||||
AT_CHECK reports it as an error since stderr is not empty as it should be.
|
||||
|
||||
This patch is needed, at least, on Fedora 26 and Rawhide (backported PEP
|
||||
538 on Python 3.6).
|
||||
This will also be needed on any distribution with Python 3.7 (PEP 538).
|
||||
|
||||
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
|
||||
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
||||
---
|
||||
tests/atlocal.in | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/tests/atlocal.in b/tests/atlocal.in
|
||||
index bc2480bff..015817c46 100644
|
||||
--- a/tests/atlocal.in
|
||||
+++ b/tests/atlocal.in
|
||||
@@ -11,6 +11,11 @@ fi
|
||||
|
||||
if test x"$PYTHON3" = x; then
|
||||
PYTHON3='@PYTHON3@'
|
||||
+
|
||||
+ # PYTHONCOERCECLOCALE=0 disables the Unicode compatibility warning on
|
||||
+ # stderr that breaks almost any Python3 test (PEP 0538)
|
||||
+ PYTHONCOERCECLOCALE=0
|
||||
+ export PYTHONCOERCECLOCALE
|
||||
fi
|
||||
|
||||
PYTHONPATH=$abs_top_srcdir/python:$abs_top_builddir/tests:$PYTHONPATH
|
||||
--
|
||||
2.13.0
|
||||
|
||||
Loading…
Reference in new issue