openvswitch/0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch

From 7b7b186a8d40fc6f287cef2582702181da74bdc3 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@ovn.org>
Date: Sat, 20 May 2017 16:38:24 -0700
Subject: [PATCH] ofp-util: Fix buffer overread in
 ofputil_pull_queue_get_config_reply10().

msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
large number at the end of the loop.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
---
 lib/ofp-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index db27abf8b..a6dd5dbdd 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -2598,7 +2598,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
 
         hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
         prop_len = ntohs(hdr->len);
-        if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
+        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
             return OFPERR_OFPBRC_BAD_LEN;
         }
 
-- 
2.12.2
Accepting request 501114 from home:markoschandras:network - Install firewalld OVN files with chmod 644 instead of 755 (4a54614120ea) - Use python-six instead of python2-six dependency to cover distributions which are not using the python-singlespec packaging specification yet (bsc#1041110) - Add upstream patch to fix a buffer overread vulnerability (cve-2017-9214) (bsc#1040543) * 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch OBS-URL: https://build.opensuse.org/request/show/501114 OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=114 2017-06-05 14:31:26 +02:00			`From 7b7b186a8d40fc6f287cef2582702181da74bdc3 Mon Sep 17 00:00:00 2001`
			`From: Ben Pfaff <blp@ovn.org>`
			`Date: Sat, 20 May 2017 16:38:24 -0700`
			`Subject: [PATCH] ofp-util: Fix buffer overread in`
			`ofputil_pull_queue_get_config_reply10().`

			`msg->size isn't the relevant measurement here because we're only supposed`
			`to read 'len' bytes. Reading more than that causes 'len' to underflow to a`
			`large number at the end of the loop.`

			`Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>`
			`Signed-off-by: Ben Pfaff <blp@ovn.org>`
			`Acked-by: Greg Rose <gvrose8192@gmail.com>`
			`---`
			`lib/ofp-util.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/lib/ofp-util.c b/lib/ofp-util.c`
			`index db27abf8b..a6dd5dbdd 100644`
			`--- a/lib/ofp-util.c`
			`+++ b/lib/ofp-util.c`
			`@@ -2598,7 +2598,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,`

			`hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);`
			`prop_len = ntohs(hdr->len);`
			`- if (prop_len < sizeof *hdr \|\| prop_len > msg->size \|\| prop_len % 8) {`
			`+ if (prop_len < sizeof *hdr \|\| prop_len > len \|\| prop_len % 8) {`
			`return OFPERR_OFPBRC_BAD_LEN;`
			`}`

			`--`
			`2.12.2`