diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2017-05-30 11:32:15 -0500 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2017-05-30 11:32:15 -0500 |
commit | 2f0ef03da3f01aac834583e21ed090fcdaa20200 (patch) | |
tree | 10300c3b16da4c7f05aa2f9672d828e6d03d6c5e /net-misc/openvswitch/files/CVE-2017-9214.patch | |
parent | fb8b7978e8937a3852147656365b0d168806023b (diff) | |
download | gentoo-2f0ef03da3f01aac834583e21ed090fcdaa20200.tar.gz gentoo-2f0ef03da3f01aac834583e21ed090fcdaa20200.tar.xz |
net-misc/openvswitch: 2.7.0-r3 bup for CVE-2017-9214 bug 620200
Package-Manager: Portage-2.3.5, Repoman-2.3.2
Diffstat (limited to 'net-misc/openvswitch/files/CVE-2017-9214.patch')
-rw-r--r-- | net-misc/openvswitch/files/CVE-2017-9214.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch new file mode 100644 index 00000000000..33686df3acf --- /dev/null +++ b/net-misc/openvswitch/files/CVE-2017-9214.patch @@ -0,0 +1,27 @@ +Fix buffer overrread in ofputil_pull_queue_get_config_reply10() + +msg->size isn't the relevant measurement here because we're only supposed +to read 'len' bytes. Reading more than that causes 'len' to underflow to a +large number at the end of the loop. + +Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> +Signed-off-by: Ben Pfaff <blp at ovn.org> +--- + lib/ofp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ofp-util.c b/lib/ofp-util.c +index bdf89b6c3017..f05ca398c13e 100644 +--- a/lib/ofp-util.c ++++ b/lib/ofp-util.c +@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg, + + hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); + prop_len = ntohs(hdr->len); +- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) { ++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { + return OFPERR_OFPBRC_BAD_LEN; + } + +-- +2.10.2 |