mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 22:05:19 +00:00
Code Issues Releases Wiki Activity

flow: Fix crash on vlan packets with partial offloading.

Browse Source 
parse_tcp_flags() does not care about vlan tags in a packet thus
not able to parse them.  As a result, if partial offloading is
enabled in userspace datapath vlan packets are not parsed, i.e.
has no initialized offsets.  This causes OVS crash on any attempt
to access/modify packet header fields.

For example, having the flow with following actions:
  in_port=1,ip,actions=mod_nw_src:192.168.0.7,output:IN_PORT

will lead to OVS crash on vlan packet handling:

 Process terminating with default action of signal 11 (SIGSEGV)
 Invalid read of size 4
    at 0x785657: get_16aligned_be32 (unaligned.h:249)
    by 0x785657: odp_set_ipv4 (odp-execute.c:82)
    by 0x785657: odp_execute_masked_set_action (odp-execute.c:527)
    by 0x785657: odp_execute_actions (odp-execute.c:894)
    by 0x74CDA9: dp_netdev_execute_actions (dpif-netdev.c:7355)
    by 0x74CDA9: packet_batch_per_flow_execute (dpif-netdev.c:6339)
    by 0x74CDA9: dp_netdev_input__ (dpif-netdev.c:6845)
    by 0x74DB6E: dp_netdev_input (dpif-netdev.c:6854)
    by 0x74DB6E: dp_netdev_process_rxq_port (dpif-netdev.c:4287)
    by 0x74E863: dpif_netdev_run (dpif-netdev.c:5264)
    by 0x703F57: type_run (ofproto-dpif.c:370)
    by 0x6EC8B8: ofproto_type_run (ofproto.c:1760)
    by 0x6DA52B: bridge_run__ (bridge.c:3188)
    by 0x6E083F: bridge_run (bridge.c:3252)
    by 0x1642E4: main (ovs-vswitchd.c:127)
  Address 0xc is not stack'd, malloc'd or (recently) free'd

Fix that by properly parsing vlan tags first.  Function 'parse_dl_type'
transformed for that purpose as it had no users anyway.

Added unit test for packet modification with partial offloading that
triggers above crash.

Fixes: aab96ec4d8 ("dpif-netdev: retrieve flow directly from the flow mark")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
This commit is contained in:
Ilya Maximets
2019-10-23 22:26:52 +02:00
parent 51528c2994
commit 54e2baec09
3 changed files with 83 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/flow.c
View File

@@ -1073,15 +1073,14 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
dst->map = mf.map;
}
ovs_be16
parse_dl_type(const struct eth_header *data_, size_t size)
static ovs_be16
parse_dl_type(const void **datap, size_t *sizep)
{
const void *data = data_;
union flow_vlan_hdr vlans[FLOW_MAX_VLAN_HEADERS];
parse_vlan(&data, &size, vlans);
parse_vlan(datap, sizep, vlans);
return parse_ethertype(&data, &size);
return parse_ethertype(datap, sizep);
}
/* Parses and return the TCP flags in 'packet', converted to host byte order.
@@ -1104,8 +1103,7 @@ parse_tcp_flags(struct dp_packet *packet)
dp_packet_reset_offsets(packet);
data_pull(&data, &size, ETH_ADDR_LEN * 2);
dl_type = parse_ethertype(&data, &size);
dl_type = parse_dl_type(&data, &size);
if (OVS_UNLIKELY(eth_type_mpls(dl_type))) {
packet->l2_5_ofs = (char *)data - frame;
}