Bug vde_plug input handling can cause either frame loss/corruption or buffer overread by 1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vde2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Won't Fix
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned |
Bug Description
=======
SRU Justification
Impact: data is discarded under certain conditions
Regression potential: the fix has been in Ubuntu releases since quantal
Test case: an exploit is at http://
=======
Binary package hint: vde2
The vde_plug (at least on ubuntu hardy) contains a bug, that is
triggered when a certain amount of encapsulated ether frame data
is sent to the plug in a specially timed manner. When the input
buffer is filled just with a single byte, vde_plug uses also the
first byte after the end of data, thus constructing an invalid
frame length. Depending on frame length, just one byte or the
complete buffer content is discarded, thus leading to lost single
byte or complete frame content. Code from vde_plug.c:
...
void splitpacket(const unsigned char *buf,int size,VDECONN *conn)
{
....
while (size > 0) {
More info, testcases, see http://
Bug also reported upstream:
http://
Affected version:
ii vde2 2.1.6+r154-1 Virtual Distributed Ethernet
System: Hardy 8.04
description: | updated |
Changed in vde2 (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: patch |
description: | updated |
Changed in vde2 (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in vde2 (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in vde2 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in vde2 (Ubuntu Precise): | |
status: | New → Confirmed |
summary: |
- Bug vde_plug input handling can cause ether frame loss/corruption or + Bug vde_plug input handling can cause either frame loss/corruption or buffer overread by 1 |
Changed in vde2 (Ubuntu): | |
status: | Triaged → Fix Released |
The following seems analogous to commit -r445 in svn, which was intended to fix this bug.
If it looks all right, I'll push this fix for proposed SRU.
Ideally, the bug Description would contain a script which could be used to verify whether the bug is present. Is that at all possible? (My impression is that you've tried but not succeeded in writing one? Hope springs eternal...)