summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/openvswitch/files')
-rw-r--r--net-misc/openvswitch/files/CVE-2017-9214.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch
new file mode 100644
index 00000000000..33686df3acf
--- /dev/null
+++ b/net-misc/openvswitch/files/CVE-2017-9214.patch
@@ -0,0 +1,27 @@
+Fix buffer overrread in ofputil_pull_queue_get_config_reply10()
+
+msg->size isn't the relevant measurement here because we're only supposed
+to read 'len' bytes. Reading more than that causes 'len' to underflow to a
+large number at the end of the loop.
+
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+---
+ lib/ofp-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c
+index bdf89b6c3017..f05ca398c13e 100644
+--- a/lib/ofp-util.c
++++ b/lib/ofp-util.c
+@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
+
+ hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
+ prop_len = ntohs(hdr->len);
+- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
+ return OFPERR_OFPBRC_BAD_LEN;
+ }
+
+--
+2.10.2