| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <aa099f245d93218b84b5c056b67b6058ccf81a66.1606987185.git.dcaratti@redhat.com>
Date: Thu, 3 Dec 2020 10:46:06 +0100
From: Davide Caratti <dcaratti@...hat.com>
To: Pravin B Shelar <pshelar@....org>,
Jakub Kicinski <kuba@...nel.org>,
John Hurley <john.hurley@...ronome.com>
Cc: gnault@...hat.com, marcelo.leitner@...il.com,
netdev@...r.kernel.org
Subject: [PATCH net] net: openvswitch: ensure LSE is pullable before reading it
when openvswitch is configured to mangle the LSE, the current value is
read from the packet dereferencing 4 bytes at mpls_hdr(): ensure that
the label is contained in the skb "linear" area.
Found by code inspection.
Fixes: d27cf5c59a12 ("net: core: add MPLS update core helper and use in OvS")
Signed-off-by: Davide Caratti <dcaratti@...hat.com>
---
net/openvswitch/actions.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 5829a020b81c..c3a664871cb5 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -199,6 +199,9 @@ static int set_mpls(struct sk_buff *skb, struct sw_flow_key *flow_key,
__be32 lse;
int err;
+ if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
+ return -ENOMEM;
+
stack = mpls_hdr(skb);
lse = OVS_MASKED(stack->label_stack_entry, *mpls_lse, *mask);
err = skb_mpls_update_lse(skb, lse);
--
2.28.0
Powered by blists - more mailing lists