net-misc/openvswitch: 2.7.0-r3 bup for CVE-2017-9214 bug 620200

Package-Manager: Portage-2.3.5, Repoman-2.3.2

1 files changed, 27 insertions, 0 deletions

diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch
new file mode 100644
index 00000000000..33686df3acf
--- /dev/null
+++ b/net-misc/openvswitch/files/CVE-2017-9214.patch
@@ -0,0 +1,27 @@
+Fix buffer overrread in ofputil_pull_queue_get_config_reply10()
+
+msg->size isn't the relevant measurement here because we're only supposed
+to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
+large number at the end of the loop.
+
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+---
+ lib/ofp-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c
+index bdf89b6c3017..f05ca398c13e 100644
+--- a/lib/ofp-util.c
++++ b/lib/ofp-util.c
+@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
+
+         hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
+         prop_len = ntohs(hdr->len);
+-        if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
++        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
+             return OFPERR_OFPBRC_BAD_LEN;
+         }
+
+--
+2.10.2