[meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980

[meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980

[Xu, Yanfei]

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
a use-after-free in decode_NXAST_RAW_ENCAP (called from
ofpact_decode and ofpacts_decode) during the decoding of
a RAW_ENCAP action.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-36980

Patches from:
format-patch from ovs v2.15.1

Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
 ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
 .../openvswitch/openvswitch_git.bb            |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch

diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
new file mode 100644
index 00000000..c88c097d
--- /dev/null
+++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
@@ -0,0 +1,101 @@
+From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@ovn.org>
+Date: Tue, 16 Feb 2021 23:27:30 +0100
+Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
+
+While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
+ofpbuf if there is no enough space left.  However, function
+'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
+structure leading to write-after-free and incorrect decoding.
+
+  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
+  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
+  WRITE of size 2 at 0x60600000011a thread T0
+    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
+    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
+    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
+    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
+    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
+    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
+    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
+    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
+    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
+    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
+    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
+    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
+    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
+    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
+    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
+    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
+
+Fix that by getting a new pointer before using.
+
+Credit to OSS-Fuzz.
+
+Fuzzer regression test will fail only with AddressSanitizer enabled.
+
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
+Fixes: f839892a206a ("OF support and translation of generic encap and decap")
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36980
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+---
+ lib/ofp-actions.c                                       | 2 ++
+ tests/automake.mk                                       | 3 ++-
+ tests/fuzz-regression-list.at                           | 1 +
+ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+
+diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
+index e2e829772..0342a228b 100644
+--- a/lib/ofp-actions.c
++++ b/lib/ofp-actions.c
+@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+ {
+     struct ofpact_encap *encap;
+     const struct ofp_ed_prop_header *ofp_prop;
++    const size_t encap_ofs = out->size;
+     size_t props_len;
+     uint16_t n_props = 0;
+     int err;
+@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+         }
+         n_props++;
+     }
++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
+     encap->n_props = n_props;
+     out->header = &encap->ofpact;
+     ofpact_finish_ENCAP(out, &encap);
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 677b99a6b..fc80e027d 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
+ 	tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
+ 	tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
+ 	tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
+-	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
++	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
++	tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+ $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
+ 	$(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
+             basename=`echo $$name | sed 's,^.*/,,'`; \
+diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
+index e3173fb88..2347c690e 100644
+--- a/tests/fuzz-regression-list.at
++++ b/tests/fuzz-regression-list.at
+@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
+diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+new file mode 100644
+index 000000000..e69de29bb
+-- 
+2.27.0
+
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 16ec4c72..56f1297c 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
             file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
             file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
             file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
+            file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
            "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
-- 
2.27.0

Re: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980

[Bruce Ashfield]

In message: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
on 29/09/2021 Xu, Yanfei wrote:

> Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
> a use-after-free in decode_NXAST_RAW_ENCAP (called from
> ofpact_decode and ofpacts_decode) during the decoding of
> a RAW_ENCAP action.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2021-36980
> 
> Patches from:
> format-patch from ovs v2.15.1
> 
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
>  ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
>  .../openvswitch/openvswitch_git.bb            |   1 +
>  2 files changed, 102 insertions(+)
>  create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> 
> diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> new file mode 100644
> index 00000000..c88c097d
> --- /dev/null
> +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> @@ -0,0 +1,101 @@
> +From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
> +From: Ilya Maximets <i.maximets@ovn.org>
> +Date: Tue, 16 Feb 2021 23:27:30 +0100
> +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
> +
> +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
> +ofpbuf if there is no enough space left.  However, function
> +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
> +structure leading to write-after-free and incorrect decoding.
> +
> +  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
> +  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
> +  WRITE of size 2 at 0x60600000011a thread T0
> +    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
> +    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
> +    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
> +    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
> +    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
> +    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
> +    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
> +    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
> +    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
> +    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
> +    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
> +    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
> +    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
> +    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
> +    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
> +    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
> +
> +Fix that by getting a new pointer before using.
> +
> +Credit to OSS-Fuzz.
> +
> +Fuzzer regression test will fail only with AddressSanitizer enabled.
> +
> +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
> +Fixes: f839892a206a ("OF support and translation of generic encap and decap")
> +Acked-by: William Tu <u9012063@gmail.com>
> +Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-36980
> +Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> +---
> + lib/ofp-actions.c                                       | 2 ++
> + tests/automake.mk                                       | 3 ++-
> + tests/fuzz-regression-list.at                           | 1 +
> + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
> + 4 files changed, 5 insertions(+), 1 deletion(-)
> + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +
> +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
> +index e2e829772..0342a228b 100644
> +--- a/lib/ofp-actions.c
> ++++ b/lib/ofp-actions.c
> +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> + {
> +     struct ofpact_encap *encap;
> +     const struct ofp_ed_prop_header *ofp_prop;
> ++    const size_t encap_ofs = out->size;
> +     size_t props_len;
> +     uint16_t n_props = 0;
> +     int err;
> +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> +         }
> +         n_props++;
> +     }
> ++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
> +     encap->n_props = n_props;
> +     out->header = &encap->ofpact;
> +     ofpact_finish_ENCAP(out, &encap);
> +diff --git a/tests/automake.mk b/tests/automake.mk
> +index 677b99a6b..fc80e027d 100644
> +--- a/tests/automake.mk
> ++++ b/tests/automake.mk
> +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
> + 	tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
> + 	tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
> + 	tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
> +-	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
> ++	tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
> ++	tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
> + 	$(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
> +             basename=`echo $$name | sed 's,^.*/,,'`; \
> +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
> +index e3173fb88..2347c690e 100644
> +--- a/tests/fuzz-regression-list.at
> ++++ b/tests/fuzz-regression-list.at
> +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
> ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
> +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +new file mode 100644
> +index 000000000..e69de29bb
> +-- 
> +2.27.0
> +
> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
> index 16ec4c72..56f1297c 100644
> --- a/recipes-networking/openvswitch/openvswitch_git.bb
> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
> @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
>              file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
>              file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
>              file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
> +            file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \

You are carrying local patches to your ovs recipe that don't match meta-virt.

As such, this didn't directly apply. I fixed it up and merged it.

But you should consider carrying those patches in a bbappend, so that
upstream sends like this have proper context, and I can be more sure
of the testing that is done on submissions.

I also took this as an opportunity to bump OVS in master, since I wanted
to be sure that we have the same CVE addressed there.

Bruce

>             "
>  
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
> -- 
> 2.27.0
> 

> 
> 
> 

Re: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980

[Xu, Yanfei]

On 10/1/21 10:50 AM, Bruce Ashfield wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
> 
> In message: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
> on 29/09/2021 Xu, Yanfei wrote:
> 
>> Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
>> a use-after-free in decode_NXAST_RAW_ENCAP (called from
>> ofpact_decode and ofpacts_decode) during the decoding of
>> a RAW_ENCAP action.
>>
>> Reference:
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36980
>>
>> Patches from:
>> format-patch from ovs v2.15.1
>>
>> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
>> ---
>>   ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
>>   .../openvswitch/openvswitch_git.bb            |   1 +
>>   2 files changed, 102 insertions(+)
>>   create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>>
>> diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>> new file mode 100644
>> index 00000000..c88c097d
>> --- /dev/null
>> +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>> @@ -0,0 +1,101 @@
>> +From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
>> +From: Ilya Maximets <i.maximets@ovn.org>
>> +Date: Tue, 16 Feb 2021 23:27:30 +0100
>> +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
>> +
>> +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
>> +ofpbuf if there is no enough space left.  However, function
>> +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
>> +structure leading to write-after-free and incorrect decoding.
>> +
>> +  ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
>> +  0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
>> +  WRITE of size 2 at 0x60600000011a thread T0
>> +    #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
>> +    #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
>> +    #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
>> +    #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
>> +    #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
>> +    #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
>> +    #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
>> +    #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
>> +    #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
>> +    #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
>> +    #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
>> +    #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
>> +    #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
>> +    #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
>> +    #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
>> +    #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
>> +
>> +Fix that by getting a new pointer before using.
>> +
>> +Credit to OSS-Fuzz.
>> +
>> +Fuzzer regression test will fail only with AddressSanitizer enabled.
>> +
>> +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
>> +Fixes: f839892a206a ("OF support and translation of generic encap and decap")
>> +Acked-by: William Tu <u9012063@gmail.com>
>> +Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
>> +
>> +Upstream-Status: Backport
>> +CVE: CVE-2021-36980
>> +Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
>> +---
>> + lib/ofp-actions.c                                       | 2 ++
>> + tests/automake.mk                                       | 3 ++-
>> + tests/fuzz-regression-list.at                           | 1 +
>> + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
>> + 4 files changed, 5 insertions(+), 1 deletion(-)
>> + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> +
>> +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
>> +index e2e829772..0342a228b 100644
>> +--- a/lib/ofp-actions.c
>> ++++ b/lib/ofp-actions.c
>> +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
>> + {
>> +     struct ofpact_encap *encap;
>> +     const struct ofp_ed_prop_header *ofp_prop;
>> ++    const size_t encap_ofs = out->size;
>> +     size_t props_len;
>> +     uint16_t n_props = 0;
>> +     int err;
>> +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
>> +         }
>> +         n_props++;
>> +     }
>> ++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
>> +     encap->n_props = n_props;
>> +     out->header = &encap->ofpact;
>> +     ofpact_finish_ENCAP(out, &encap);
>> +diff --git a/tests/automake.mk b/tests/automake.mk
>> +index 677b99a6b..fc80e027d 100644
>> +--- a/tests/automake.mk
>> ++++ b/tests/automake.mk
>> +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
>> +     tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
>> +     tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
>> +     tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
>> +-    tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
>> ++    tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
>> ++    tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
>> +     $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
>> +             basename=`echo $$name | sed 's,^.*/,,'`; \
>> +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
>> +index e3173fb88..2347c690e 100644
>> +--- a/tests/fuzz-regression-list.at
>> ++++ b/tests/fuzz-regression-list.at
>> +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
>> ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
>> +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> +new file mode 100644
>> +index 000000000..e69de29bb
>> +--
>> +2.27.0
>> +
>> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
>> index 16ec4c72..56f1297c 100644
>> --- a/recipes-networking/openvswitch/openvswitch_git.bb
>> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
>> @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
>>               file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
>>               file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
>>               file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
>> +            file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
> 

Sorry for this late rely due to a long vocation.

> You are carrying local patches to your ovs recipe that don't match meta-virt.
> 
> As such, this didn't directly apply. I fixed it up and merged it.
>  > But you should consider carrying those patches in a bbappend, so that
> upstream sends like this have proper context, and I can be more sure
> of the testing that is done on submissions.
> 

Thanks for remainding.

> I also took this as an opportunity to bump OVS in master, since I wanted
> to be sure that we have the same CVE addressed there.
> 

I notice the ovs has been updated to 2.15.1, thanks a lot.

Cheers,
Yanfei

> Bruce
> 
>>              "
>>
>>   LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
>> --
>> 2.27.0
>>
> 
>>
>> 
>>
>