From beea119eb529b4a11f266004aee8b548427aea39 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Tue, 20 Sep 2022 10:50:18 +0530
Subject: openvswitch: CVE-2021-3905 External triggered memory leak

Source: https://gitlab.com/libvirt/libvirt
MR: 121447
Type: Security Fix
Disposition: Backport from https://github.com/openvswitch/ovs/commit/803ed12e31b0377c37d7aa8c94b3b92f2081e349
ChangeID: 8f3a31bbf11be6a5aef9b7cf6ed1c2e56c28ff44
Description:
	 CVE-2021-3905 openvswitch: External triggered memory leak in Open vSwitch while processing fragmented packets.

Affects openvswitch < 2.17.0

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../openvswitch-git/CVE-2021-3905.patch            | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 recipes-networking/openvswitch/openvswitch-git/CVE-2021-3905.patch

(limited to 'recipes-networking/openvswitch/openvswitch-git')

diff --git a/recipes-networking/openvswitch/openvswitch-git/CVE-2021-3905.patch b/recipes-networking/openvswitch/openvswitch-git/CVE-2021-3905.patch
new file mode 100644
index 00000000..beff3944
--- /dev/null
+++ b/recipes-networking/openvswitch/openvswitch-git/CVE-2021-3905.patch
@@ -0,0 +1,28 @@
+From 9f66c8c98f1eb55e0fb536bfaf7afaecda136b0a Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 20 Sep 2022 10:06:04 +0530
+Subject: [PATCH] CVE-2021-3905
+
+Upstream-Status: Backport [https://github.com/openvswitch/ovs/commit/803ed12e31b0377c37d7aa8c94b3b92f2081e349]
+CVE: CVE-2021-3905
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/ipf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ipf.c b/lib/ipf.c
+index 446e89d13..66203f642 100644
+--- a/lib/ipf.c
++++ b/lib/ipf.c
+@@ -945,6 +945,8 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb,
+             if (!ipf_handle_frag(ipf, pkt, dl_type, zone, now, hash_basis,
+                                  pb->do_not_steal)) {
+                 dp_packet_batch_refill(pb, pkt, pb_idx);
++            } else {
++                dp_packet_delete(pkt);
+             }
+             ovs_mutex_unlock(&ipf->ipf_lock);
+         } else {
+-- 
+2.25.1
+
-- 
cgit v1.2.3-54-g00ecf