Unverified Commit 44c6f76a authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!4833 openvswitch: fix stack OOB read while fragmenting IPv4 packets 

Merge Pull Request from: @ci-robot 
 
PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/XTHSDDITHHUJN4HQYHDGRWDJAS7DHOPQ/ 
 
https://gitee.com/src-openeuler/kernel/issues/I949B7 
 
Link:https://gitee.com/openeuler/kernel/pulls/4833

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 84e972d6 a26a2960

net/openvswitch/actions.c

+4 −4
Original line number Diff line number Diff line
@@ -892,17 +892,17 @@ static void ovs_fragment(struct net *net, struct vport *vport, 
	}



	if (key->eth.type == htons(ETH_P_IP)) {

		struct dst_entry ovs_dst;

		struct rtable ovs_rt = { 0 };

		unsigned long orig_dst;



		prepare_frag(vport, skb, orig_network_offset,

			     ovs_key_mac_proto(key));

		dst_init(&ovs_dst, &ovs_dst_ops, NULL, 1,

		dst_init(&ovs_rt.dst, &ovs_dst_ops, NULL, 1,

			 DST_OBSOLETE_NONE, DST_NOCOUNT);

		ovs_dst.dev = vport->dev;

		ovs_rt.dst.dev = vport->dev;



		orig_dst = skb->_skb_refdst;

		skb_dst_set_noref(skb, &ovs_dst);

		skb_dst_set_noref(skb, &ovs_rt.dst);

		IPCB(skb)->frag_max_size = mru;



		ip_do_fragment(net, skb->sk, skb, ovs_vport_output);