[PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet

[PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet

[wenxu]

kernel BUG at include/linux/skbuff.h:1219!
invalid opcode: 0000 [#1] SMP
RIP: 0010:[<ffffffffa01dc89d>] ovs_flow_extract+0x8ed/0xa40 [openvswitch]
Call Trace:
<IRQ>
ovs_dp_process_received_packet+0x44/0x80 [openvswitch]
ovs_vport_receive+0x2e/0x30 [openvswitch]
gre_rcv+0xac/0xd0 [openvswitch]
gre_cisco_rcv+0x1c2/0x310 [openvswitch]
gre_rcv+0x59/0x80 [openvswitch]

ovs_flow_extract call __skb_pull to lead BUG_ON(skb->len < skb->data_len)
if the gre header protocol is not TEB and most part of the packet is in
the nolinear-spatial.

1. gre_rcv: pskb_may_pull(skb, 12)
pull the 12 bytes to linear-spatial(skb->data). The gre header is 8 bytes
only with key.

2. gre_cisco_rcv-->parse_gre_header-->iptunnel_pull_header
{
    if (inner_proto == htons(ETH_P_TEB)) {
        struct ethhdr *eh;

        if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
            return -ENOMEM;
        ......
    }
}
The wrong inner_proto leads no pull the Mac header to linear-spatial

3. finally It made a crash in ovs_flow_extract->__skb_pull

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 net/openvswitch/vport-gre.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index f17ac96..4a993b5 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -107,6 +107,9 @@ static int gre_rcv(struct sk_buff *skb,
 	if (unlikely(!vport))
 		return PACKET_REJECT;
 
+	if (unlikely(tpi->proto != htons(ETH_P_TEB)))
+		return PACKET_REJECT;
+
 	key = key_to_tunnel_id(tpi->key, tpi->seq);
 	ovs_flow_tun_info_init(&tun_info, ip_hdr(skb), 0, 0, key,
 			       filter_tnl_flags(tpi->flags), NULL, 0);
-- 
1.9.1

[PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet

[wenxu]

kernel BUG at include/linux/skbuff.h:1219!
invalid opcode: 0000 [#1] SMP
RIP: 0010:[<ffffffffa01dc89d>] ovs_flow_extract+0x8ed/0xa40 [openvswitch]
Call Trace:
<IRQ>
ovs_dp_process_received_packet+0x44/0x80 [openvswitch]
ovs_vport_receive+0x2e/0x30 [openvswitch]
gre_rcv+0xac/0xd0 [openvswitch]
gre_cisco_rcv+0x1c2/0x310 [openvswitch]
gre_rcv+0x59/0x80 [openvswitch]

ovs_flow_extract call __skb_pull to lead BUG_ON(skb->len < skb->data_len)
if the gre header protocol is not TEB and most part of the packet is in
the nolinear-spatial.

1. gre_rcv: pskb_may_pull(skb, 12)
pull the 12 bytes to linear-spatial(skb->data). The gre header is 8 bytes
only with key.

2. gre_cisco_rcv-->parse_gre_header-->iptunnel_pull_header
{
    if (inner_proto == htons(ETH_P_TEB)) {
        struct ethhdr *eh;

        if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
            return -ENOMEM;
        ......
    }
}
The wrong inner_proto leads no pull the Mac header to linear-spatial

3. finally It made a crash in ovs_flow_extract->__skb_pull

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 net/openvswitch/vport-gre.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index f17ac96..4a993b5 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -107,6 +107,9 @@ static int gre_rcv(struct sk_buff *skb,
 	if (unlikely(!vport))
 		return PACKET_REJECT;
 
+	if (unlikely(tpi->proto != htons(ETH_P_TEB)))
+		return PACKET_REJECT;
+
 	key = key_to_tunnel_id(tpi->key, tpi->seq);
 	ovs_flow_tun_info_init(&tun_info, ip_hdr(skb), 0, 0, key,
 			       filter_tnl_flags(tpi->flags), NULL, 0);
-- 
1.9.1


_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev