openvswitch: Relax set header validation.
When installing a flow with an action to set a particular field we need to validate that the packets that are part of the flow actually contain that header. With IP we use zeroed addresses and with TCP/UDP the check is for zeroed ports. This check is overly broad and can catch packets like DHCP requests that have a zero source address in a legitimate header. This changes the check to look for a zeroed protocol number for IP or for both ports be zero for TCP/UDP before considering the header to not exist. Reported-by: Ethan Jackson <ethan@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com>
This commit is contained in:
parent
0d7614f09c
commit
4185392da4
|
@ -425,10 +425,10 @@ static int validate_sample(const struct nlattr *attr,
|
|||
static int validate_tp_port(const struct sw_flow_key *flow_key)
|
||||
{
|
||||
if (flow_key->eth.type == htons(ETH_P_IP)) {
|
||||
if (flow_key->ipv4.tp.src && flow_key->ipv4.tp.dst)
|
||||
if (flow_key->ipv4.tp.src || flow_key->ipv4.tp.dst)
|
||||
return 0;
|
||||
} else if (flow_key->eth.type == htons(ETH_P_IPV6)) {
|
||||
if (flow_key->ipv6.tp.src && flow_key->ipv6.tp.dst)
|
||||
if (flow_key->ipv6.tp.src || flow_key->ipv6.tp.dst)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -460,7 +460,7 @@ static int validate_set(const struct nlattr *a,
|
|||
if (flow_key->eth.type != htons(ETH_P_IP))
|
||||
return -EINVAL;
|
||||
|
||||
if (!flow_key->ipv4.addr.src || !flow_key->ipv4.addr.dst)
|
||||
if (!flow_key->ip.proto)
|
||||
return -EINVAL;
|
||||
|
||||
ipv4_key = nla_data(ovs_key);
|
||||
|
|
Loading…
Reference in New Issue