Commit bf32fecd authored by Jesse Gross's avatar Jesse Gross

openvswitch: Add length check when retrieving TCP flags.

When collecting TCP flags we check that the IP header indicates that
a TCP header is present but not that the packet is actually long
enough to contain the header.  This adds a check to prevent reading
off the end of the packet.

In practice, this is only likely to result in reading of bad data and
not a crash due to the presence of struct skb_shared_info at the end
of the packet.
Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
parent dd775ae2
...@@ -183,7 +183,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb) ...@@ -183,7 +183,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff *skb)
u8 tcp_flags = 0; u8 tcp_flags = 0;
if (flow->key.eth.type == htons(ETH_P_IP) && if (flow->key.eth.type == htons(ETH_P_IP) &&
flow->key.ip.proto == IPPROTO_TCP) { flow->key.ip.proto == IPPROTO_TCP &&
likely(skb->len >= skb_transport_offset(skb) + sizeof(struct tcphdr))) {
u8 *tcp = (u8 *)tcp_hdr(skb); u8 *tcp = (u8 *)tcp_hdr(skb);
tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK; tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment