+++ /dev/null
-Description: CVE-2020-27827: lldp: do not leak memory on multiple instances of TLVs
- lldp: avoid memory leak from bad packets
- .
- A packet that contains multiple instances of certain TLVs will cause
- lldpd to continually allocate memory and leak the old memory. As an
- example, multiple instances of system name TLV will cause old values
- to be dropped by the decoding routine.
- .
- Reported-at: https://github.com/openvswitch/ovs/pull/337
- Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
- Signed-off-by: Aaron Conole <aconole@redhat.com>
-Author: Aaron Conole <aconole@redhat.com>
-Date: Wed, 13 Jan 2021 10:47:19 -0500
-Vulnerability: CVE-2020-27827
-Signed-off-by: Aaron Conole <aconole@redhat.com>
-Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
-Origin: upstream, https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0.patch
-Bug-Debian: https://bugs.debian.org/bug=980132
-Last-Update: 2021-01-15
-
-diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
-index e5755307fb..18afbab9a7 100644
---- a/lib/lldp/lldp.c
-+++ b/lib/lldp/lldp.c
-@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
- b = xzalloc(tlv_size + 1);
- PEEK_BYTES(b, tlv_size);
- if (tlv_type == LLDP_TLV_PORT_DESCR) {
-+ free(port->p_descr);
- port->p_descr = b;
- } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
-+ free(chassis->c_name);
- chassis->c_name = b;
- } else {
-+ free(chassis->c_descr);
- chassis->c_descr = b;
- }
- break;
+++ /dev/null
-Subject: CVE-2020-35498: flow: Support extra padding length.
- Although not required, padding can be optionally added until
- the packet length is MTU bytes. A packet with extra padding
- currently fails sanity checks.
-Author: Flavio Leitner <fbl@sysclose.org>
-Date: Mon, 26 Oct 2020 16:03:19 -0300
-Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.")
-Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se>
-Acked-by: Ilya Maximets <i.maximets@ovn.org>
-Signed-off-by: Flavio Leitner <fbl@sysclose.org>
-Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
-Origin: upstream, https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
-Last-Update: 2021-04-10
-
-diff --git a/lib/conntrack.c b/lib/conntrack.c
-index bba38f9f57..feaaec1c3f 100644
---- a/lib/conntrack.c
-+++ b/lib/conntrack.c
-@@ -825,7 +825,7 @@ static void
- reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
- {
- char *tail = dp_packet_tail(pkt);
-- uint8_t pad = dp_packet_l2_pad_size(pkt);
-+ uint16_t pad = dp_packet_l2_pad_size(pkt);
- struct conn_key inner_key;
- const char *inner_l4 = NULL;
- uint16_t orig_l3_ofs = pkt->l3_ofs;
-diff --git a/lib/dp-packet.h b/lib/dp-packet.h
-index 0430cca8eb..9e2d06b3dd 100644
---- a/lib/dp-packet.h
-+++ b/lib/dp-packet.h
-@@ -125,7 +125,7 @@ struct dp_packet {
-
- /* All the following elements of this struct are copied in a single call
- * of memcpy in dp_packet_clone_with_headroom. */
-- uint8_t l2_pad_size; /* Detected l2 padding size.
-+ uint16_t l2_pad_size; /* Detected l2 padding size.
- * Padding is non-pullable. */
- uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */
- uint16_t l3_ofs; /* Network-level header offset,
-@@ -162,8 +162,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment);
- void *dp_packet_resize_l2_5(struct dp_packet *, int increment);
- static inline void *dp_packet_eth(const struct dp_packet *);
- static inline void dp_packet_reset_offsets(struct dp_packet *);
--static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
--static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
-+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
-+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
- static inline void *dp_packet_l2_5(const struct dp_packet *);
- static inline void dp_packet_set_l2_5(struct dp_packet *, void *);
- static inline void *dp_packet_l3(const struct dp_packet *);
-@@ -371,14 +371,14 @@ dp_packet_reset_offsets(struct dp_packet *b)
- b->l4_ofs = UINT16_MAX;
- }
-
--static inline uint8_t
-+static inline uint16_t
- dp_packet_l2_pad_size(const struct dp_packet *b)
- {
- return b->l2_pad_size;
- }
-
- static inline void
--dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
-+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
- {
- ovs_assert(pad_size <= dp_packet_size(b));
- b->l2_pad_size = pad_size;
-diff --git a/lib/flow.c b/lib/flow.c
-index cc1b3f2db2..729d59b1b3 100644
---- a/lib/flow.c
-+++ b/lib/flow.c
-@@ -655,7 +655,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size,
-
- tot_len = ntohs(nh->ip_tot_len);
- if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
-- size - tot_len > UINT8_MAX)) {
-+ size - tot_len > UINT16_MAX)) {
- return false;
- }
-
-@@ -693,8 +693,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size)
- if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
- return false;
- }
-- /* Jumbo Payload option not supported yet. */
-- if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT8_MAX)) {
-+
-+ if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
- return false;
- }
-
-diff --git a/tests/classifier.at b/tests/classifier.at
-index 88818618be..cdcd72c156 100644
---- a/tests/classifier.at
-+++ b/tests/classifier.at
-@@ -304,3 +304,39 @@ ovs-ofctl: "conjunction" actions may be used along with "note" but not any other
- ])
- OVS_VSWITCHD_STOP
- AT_CLEANUP
-+
-+# Flow classifier a packet with excess of padding.
-+AT_SETUP([flow classifier - packet with extra padding])
-+OVS_VSWITCHD_START
-+add_of_ports br0 1 2
-+AT_DATA([flows.txt], [dnl
-+priority=5,ip,ip_dst=1.1.1.1,actions=1
-+priority=5,ip,ip_dst=1.1.1.2,actions=2
-+priority=0,actions=drop
-+])
-+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
-+packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a
-+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
-+AT_CHECK([tail -2 stdout], [0],
-+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
-+Datapath actions: 2
-+])
-+# normal packet plus 255 bytes of padding (8bit padding).
-+# 255 * 2 = 510
-+padding=$(printf '%*s' 510 | tr ' ' '0')
-+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout])
-+AT_CHECK([tail -2 stdout], [0],
-+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
-+Datapath actions: 2
-+])
-+# normal packet plus padding up to 65535 bytes of length (16bit limit).
-+# 65535 - 43 = 65492
-+# 65492 * 2 = 130984
-+padding=$(printf '%*s' 130984 | tr ' ' '0')
-+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout])
-+AT_CHECK([tail -2 stdout], [0],
-+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
-+Datapath actions: 2
-+])
-+OVS_VSWITCHD_STOP
-+AT_CLEANUP