meta-virtualization@lists.yoctoproject.org | [master][langdale][kirkstone][PATCH] openvswitch: backport patch to fix CVE-2022-4337 and CVE-2022-4338

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

[master][langdale][kirkstone][PATCH] openvswitch: backport patch to fix CVE-2022-4337 and CVE-2022-4338

Xiangyu Chen #7781 From: Xiangyu Chen <xiangyu.chen@...> CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV Reference: https://github.com/openvswitch/ovs/pull/405 https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Signed-off-by: Xiangyu Chen <xiangyu.chen@...> --- ...gs-when-parsing-malformed-AutoAttach.patch \| 86 +++++++++++++++++++ .../openvswitch/openvswitch_git.bb \| 1 + 2 files changed, 87 insertions(+) create mode 100644 recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 0000000..ec40106 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch @@ -0,0 +1,86 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen <cq674350529@...> +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") + +Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV + +Signed-off-by: Qian Chen <cq674350529@...> +Co-authored-by: Aaron Conole <aconole@...> +Signed-off-by: Aaron Conole <aconole@...> +Signed-off-by: Ilya Maximets <i.maximets@...> +Signed-off-by: Xiangyu Chen <xiangyu.chen@...> +--- + lib/lldp/lldp.c \| 2 ++ + tests/ofproto-dpif.at \| 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index dfeb2a800..6fdcfef56 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index eb4cd1896..fa6111c1e 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/\|WARN\|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) + + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and +-- +2.34.1 + diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3..4f4efe7 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb @@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. file://kernel_module.patch \ file://systemd-update-tool-paths.patch \ file://systemd-create-runtime-dirs.patch \ + file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" -- 2.34.1
More All Messages By This Member
Xiangyu Chen #7793 On 12/28/22 11:56, Xiangyu Chen wrote: From: Xiangyu Chen <xiangyu.chen@...> CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV Reference: https://github.com/openvswitch/ovs/pull/405 https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Signed-off-by: Xiangyu Chen <xiangyu.chen@...> Friendly ping, thanks ;) Br, Xiangyu --- ...gs-when-parsing-malformed-AutoAttach.patch \| 86 +++++++++++++++++++ .../openvswitch/openvswitch_git.bb \| 1 + 2 files changed, 87 insertions(+) create mode 100644 recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 0000000..ec40106 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch @@ -0,0 +1,86 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen <cq674350529@...> +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") + +Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV + +Signed-off-by: Qian Chen <cq674350529@...> +Co-authored-by: Aaron Conole <aconole@...> +Signed-off-by: Aaron Conole <aconole@...> +Signed-off-by: Ilya Maximets <i.maximets@...> +Signed-off-by: Xiangyu Chen <xiangyu.chen@...> +--- + lib/lldp/lldp.c \| 2 ++ + tests/ofproto-dpif.at \| 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index dfeb2a800..6fdcfef56 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index eb4cd1896..fa6111c1e 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/\|WARN\|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) + + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and +-- +2.34.1 + diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3..4f4efe7 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb @@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. file://kernel_module.patch \ file://systemd-update-tool-paths.patch \ file://systemd-create-runtime-dirs.patch \ + file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
More All Messages By This Member
Bruce Ashfield #7802 On Thu, Jan 5, 2023 at 11:09 PM Xiangyu Chen <xiangyu.chen@...> wrote: On 12/28/22 11:56, Xiangyu Chen wrote: From: Xiangyu Chen <xiangyu.chen@...> CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV Reference: https://github.com/openvswitch/ovs/pull/405 https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Signed-off-by: Xiangyu Chen <xiangyu.chen@...> Friendly ping, thanks ;) I've been on holidays, and won't be doing any merges until the start of next week. I only did a few very critical merges to keep the layer compatible with OE core master. So this has been noted and is in the queue. Bruce Br, Xiangyu --- ...gs-when-parsing-malformed-AutoAttach.patch \| 86 +++++++++++++++++++ .../openvswitch/openvswitch_git.bb \| 1 + 2 files changed, 87 insertions(+) create mode 100644 recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 0000000..ec40106 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch @@ -0,0 +1,86 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen <cq674350529@...> +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") + +Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV + +Signed-off-by: Qian Chen <cq674350529@...> +Co-authored-by: Aaron Conole <aconole@...> +Signed-off-by: Aaron Conole <aconole@...> +Signed-off-by: Ilya Maximets <i.maximets@...> +Signed-off-by: Xiangyu Chen <xiangyu.chen@...> +--- + lib/lldp/lldp.c \| 2 ++ + tests/ofproto-dpif.at \| 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index dfeb2a800..6fdcfef56 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index eb4cd1896..fa6111c1e 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/\|WARN\|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) + + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and +-- +2.34.1 + diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3..4f4efe7 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb @@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. file://kernel_module.patch \ file://systemd-update-tool-paths.patch \ file://systemd-create-runtime-dirs.patch \ + file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
More All Messages By This Member
Bruce Ashfield #7813 I've pushed this to the stable branches, but I have an uprev of OVS on master-next, so it doesn't look like this is needed there. Bruce On Tue, Dec 27, 2022 at 10:56 PM Xiangyu Chen <xiangyu.chen@...> wrote: From: Xiangyu Chen <xiangyu.chen@...> CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV Reference: https://github.com/openvswitch/ovs/pull/405 https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Signed-off-by: Xiangyu Chen <xiangyu.chen@...> --- ...gs-when-parsing-malformed-AutoAttach.patch \| 86 +++++++++++++++++++ .../openvswitch/openvswitch_git.bb \| 1 + 2 files changed, 87 insertions(+) create mode 100644 recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 0000000..ec40106 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch @@ -0,0 +1,86 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen <cq674350529@...> +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") + +Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV + +Signed-off-by: Qian Chen <cq674350529@...> +Co-authored-by: Aaron Conole <aconole@...> +Signed-off-by: Aaron Conole <aconole@...> +Signed-off-by: Ilya Maximets <i.maximets@...> +Signed-off-by: Xiangyu Chen <xiangyu.chen@...> +--- + lib/lldp/lldp.c \| 2 ++ + tests/ofproto-dpif.at \| 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index dfeb2a800..6fdcfef56 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index eb4cd1896..fa6111c1e 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/\|WARN\|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) + + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and +-- +2.34.1 + diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3..4f4efe7 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb @@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. file://kernel_module.patch \ file://systemd-update-tool-paths.patch \ file://systemd-create-runtime-dirs.patch \ + file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" -- 2.34.1 -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms