From 0a21b006df3f6f0af7195cb39da9fa109c53c3aa Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 27 Mar 2024 14:13:07 +0800 Subject: [PATCH 1/3] rebuild with python3.11 --- ...x-rendering-of-VLAN-Comparison-Chart.patch | 67 +++++++++++++++++++ 0001-Fixed-troff-warning-in-versions.patch | 26 +++++++ ...s-Add-nowarn-region-option-to-tables.patch | 56 ++++++++++++++++ ...l-preprocessor-in-manpage-check-rule.patch | 31 +++++++++ openvswitch.spec | 10 ++- 5 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch create mode 100644 0001-Fixed-troff-warning-in-versions.patch create mode 100644 0001-docs-Add-nowarn-region-option-to-tables.patch create mode 100644 0002-Run-tbl-preprocessor-in-manpage-check-rule.patch diff --git a/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch b/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch new file mode 100644 index 0000000..8108611 --- /dev/null +++ b/0001-Fix-rendering-of-VLAN-Comparison-Chart.patch @@ -0,0 +1,67 @@ +From 9842d89e58e801b6b3a92ac079688b99b5669587 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Thu, 24 Aug 2023 10:31:56 +0200 +Subject: [PATCH] docs: Fix rendering of VLAN Comparison Chart. + +tbl defaults to expecting table entries to be separated by tab +characters. However, commit 5a0e4aec1af5cf7741c490bce704577e51e536b9 +converted these to spaces and inadvertently broke the rendering. Use +semicolons as separators instead; these are less prone to being broken +by tree-wide changes, and match the style used by +build-aux/extract-ofp-fields. + +Fixes: 5a0e4aec1af5 ("treewide: Convert leading tabs to spaces.") +Reported-by: Lucas Nussbaum +Reported-at: https://bugs.debian.org/1042358 +Co-authored-by: Frode Nordahl +Signed-off-by: Frode Nordahl +Signed-off-by: Colin Watson +Signed-off-by: Ilya Maximets +--- + lib/meta-flow.xml | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml +index 416ea0cf224..ac72a44bce4 100644 +--- a/lib/meta-flow.xml ++++ b/lib/meta-flow.xml +@@ -3517,24 +3517,24 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) +

+ + +-nowarn; ++tab(;); + r r r r r. +-Criteria OpenFlow 1.0 OpenFlow 1.1 OpenFlow 1.2+ NXM +-\_ \_ \_ \_ \_ +-[1] \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fL0000\fR,\fL--\fR \fL0000\fR/\fL0000\fR +-[2] \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fLffff\fR,\fL--\fR \fL0000\fR/\fLffff\fR +-[3] \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL1xxx\fR/\fLffff\fR,\fL--\fR \fL1xxx\fR/\fL1fff\fR +-[4] \fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR \fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1000\fR/\fL1000\fR,\fL0y\fR \fLz000\fR/\fLf000\fR +-[5] \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1xxx\fR/\fLffff\fR,\fL0y\fR \fLzxxx\fR/\fLffff\fR ++Criteria;OpenFlow 1.0;OpenFlow 1.1;OpenFlow 1.2+;NXM ++\_;\_;\_;\_;\_ ++[1];\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fL0000\fR,\fL--\fR;\fL0000\fR/\fL0000\fR ++[2];\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fLffff\fR,\fL--\fR;\fL0000\fR/\fLffff\fR ++[3];\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL1xxx\fR/\fLffff\fR,\fL--\fR;\fL1xxx\fR/\fL1fff\fR ++[4];\fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR;\fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1000\fR/\fL1000\fR,\fL0y\fR;\fLz000\fR/\fLf000\fR ++[5];\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1xxx\fR/\fLffff\fR,\fL0y\fR;\fLzxxx\fR/\fLffff\fR + .T& +-r r c c r. +-[6] (none) (none) \fL1001\fR/\fL1001\fR,\fL--\fR \fL1001\fR/\fL1001\fR ++r c c r r. ++[6];(none);(none);\fL1001\fR/\fL1001\fR,\fL--\fR;\fL1001\fR/\fL1001\fR + .T& +-r r c c c. +-[7] (none) (none) (none) \fL3000\fR/\fL3000\fR +-[8] (none) (none) (none) \fL0000\fR/\fL0fff\fR +-[9] (none) (none) (none) \fL0000\fR/\fLf000\fR +-[10] (none) (none) (none) \fL0000\fR/\fLefff\fR ++r c c c r. ++[7];(none);(none);(none);\fL3000\fR/\fL3000\fR ++[8];(none);(none);(none);\fL0000\fR/\fL0fff\fR ++[9];(none);(none);(none);\fL0000\fR/\fLf000\fR ++[10];(none);(none);(none);\fL0000\fR/\fLefff\fR + + +

diff --git a/0001-Fixed-troff-warning-in-versions.patch b/0001-Fixed-troff-warning-in-versions.patch new file mode 100644 index 0000000..ba705a5 --- /dev/null +++ b/0001-Fixed-troff-warning-in-versions.patch @@ -0,0 +1,26 @@ +From 2428050aef9e52b0e523accd37ef121594bf7e4b Mon Sep 17 00:00:00 2001 +From: gordonwwang +Date: Thu, 17 Aug 2023 11:04:39 +0800 +Subject: [PATCH] [PATCH 1/1] lib/ovs.tmac: Fixed troff warning in versions + above groff-1.23 + +Signed-off-by: gordonwwang +Signed-off-by: Xiaojie Chen +Co-authored-by: Xiaojie Chen +--- + lib/ovs.tmac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ovs.tmac b/lib/ovs.tmac +index 5f8f20afa4a..97b6fa3df76 100644 +--- a/lib/ovs.tmac ++++ b/lib/ovs.tmac +@@ -175,7 +175,7 @@ + . nr mE \\n(.f + . nf + . nh +-. ft CW ++. ft CR + .. + . + . diff --git a/0001-docs-Add-nowarn-region-option-to-tables.patch b/0001-docs-Add-nowarn-region-option-to-tables.patch new file mode 100644 index 0000000..0ba170a --- /dev/null +++ b/0001-docs-Add-nowarn-region-option-to-tables.patch @@ -0,0 +1,56 @@ +From 8add72af395257825080314cb5062337fff28b31 Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Wed, 27 Mar 2024 14:53:41 +0800 +Subject: [PATCH] docs: Add nowarn region option to tables + +--- + build-aux/extract-ofp-fields | 6 +++--- + lib/meta-flow.xml | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/build-aux/extract-ofp-fields b/build-aux/extract-ofp-fields +index 8766995..7a9788b 100755 +--- a/build-aux/extract-ofp-fields ++++ b/build-aux/extract-ofp-fields +@@ -578,7 +578,7 @@ def field_to_xml(field_node, f, body, summary): + body += [""".PP + \\fB%s Field\\fR + .TS +-tab(;); ++tab(;),nowarn; + l lx. + """ % title] + +@@ -655,7 +655,7 @@ def group_xml_to_nroff(group_node, fields): + '.SH \"%s\"\n' % build.nroff.text_to_nroff(title.upper() + " FIELDS"), + '.SS "Summary:"\n', + '.TS\n', +- 'tab(;);\n', ++ 'tab(;),nowarn;\n', + 'l l l l l l l.\n', + 'Name;Bytes;Mask;RW?;Prereqs;NXM/OXM Support\n', + '\_;\_;\_;\_;\_;\_\n'] +@@ -665,7 +665,7 @@ def group_xml_to_nroff(group_node, fields): + return ''.join(content) + + def make_oxm_classes_xml(document): +- s = '''tab(;); ++ s = '''tab(;),nowarn; + l l l. + Prefix;Vendor;Class + \_;\_;\_ +diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml +index 28865f8..d861100 100644 +--- a/lib/meta-flow.xml ++++ b/lib/meta-flow.xml +@@ -3517,6 +3517,7 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) +

+ + ++nowarn; + r r r r r. + Criteria OpenFlow 1.0 OpenFlow 1.1 OpenFlow 1.2+ NXM + \_ \_ \_ \_ \_ +-- +2.27.0 + diff --git a/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch b/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch new file mode 100644 index 0000000..0988108 --- /dev/null +++ b/0002-Run-tbl-preprocessor-in-manpage-check-rule.patch @@ -0,0 +1,31 @@ +From 6180fefa835c7cad36e89f77f3d9de13c680fb88 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Mon, 21 Aug 2023 15:53:34 +0200 +Subject: [PATCH] docs: Run tbl preprocessor in manpage-check rule. + +If we omit this, groff 1.23.0 warns: + + tbl preprocessor failed, or it or soelim was not run; table(s) likely + not rendered (TE macro called with TW register undefined) + +Reported-by: Lucas Nussbaum +Reported-at: https://bugs.debian.org/1042358 +Signed-off-by: Colin Watson +Signed-off-by: Ilya Maximets +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index db341504d37..265cf0a7b52 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -368,7 +368,7 @@ ALL_LOCAL += manpage-check + manpage-check: $(man_MANS) $(dist_man_MANS) $(noinst_man_MANS) + @error=false; \ + for manpage in $?; do \ +- LANG=en_US.UTF-8 groff -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ ++ LANG=en_US.UTF-8 groff -t -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ + if grep warning: $@.tmp; then error=:; fi; \ + rm -f $@.tmp; \ + done; \ diff --git a/openvswitch.spec b/openvswitch.spec index c36d65f..7d016ef 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global _hardened_build 1 %define _rundir /run @@ -22,6 +22,11 @@ License: ASL 2.0 and LGPLv2+ and SISSL Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz Source1: openvswitch.sysusers +Patch1: 0001-Fixed-troff-warning-in-versions.patch +Patch2: 0002-Run-tbl-preprocessor-in-manpage-check-rule.patch +Patch3: 0001-docs-Add-nowarn-region-option-to-tables.patch +Patch4: 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch + BuildRequires: gcc gcc-c++ make autoconf automake libtool BuildRequires: systemd-rpm-macros openssl openssl-devel desktop-file-utils BuildRequires: python3-devel python3-six python3-setuptools python3-sortedcontainers @@ -511,5 +516,8 @@ fi %doc NOTICE README.rst NEWS %changelog +* Wed Mar 27 2024 Liwei Ge - 2.17.6-2 +- rebuild with python3.11 + * Tue Apr 18 2023 happy_orange -2.17.6-1 - init package -- Gitee From 9ed95e89d81bf86adbf42125525d523477b5df69 Mon Sep 17 00:00:00 2001 From: dashnfschina Date: Thu, 9 May 2024 03:53:49 -0400 Subject: [PATCH 2/3] fix:CVE-2023-3966 --- 0001-fix-CVE-2023-3966.patch | 130 +++++++++++++++++++++++++++++++++++ openvswitch.spec | 6 +- 2 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 0001-fix-CVE-2023-3966.patch diff --git a/0001-fix-CVE-2023-3966.patch b/0001-fix-CVE-2023-3966.patch new file mode 100644 index 0000000..6ccfb60 --- /dev/null +++ b/0001-fix-CVE-2023-3966.patch @@ -0,0 +1,130 @@ +From 3585beb369f241b74395eabb85270488e57868d5 Mon Sep 17 00:00:00 2001 +From: dashnfschina +Date: Mon, 6 May 2024 21:26:04 -0400 +Subject: [PATCH] fix:CVE-2023-3966 + +--- + lib/netdev-offload-tc.c | 24 +++++++++++++++++----- + tests/system-offloads-traffic.at | 34 ++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 5 deletions(-) + +diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c +index 6d918ae..f7b414a 100644 +--- a/lib/netdev-offload-tc.c ++++ b/lib/netdev-offload-tc.c +@@ -1597,12 +1597,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1618,7 +1618,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1632,7 +1632,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1646,7 +1646,15 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if(len < sizeof *opt){ ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1654,6 +1662,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -1835,7 +1845,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at +index bf60e4c..e59fa3c 100644 +--- a/tests/system-offloads-traffic.at ++++ b/tests/system-offloads-traffic.at +@@ -351,3 +351,37 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/could not open network device ovs-p0/d + /failed to offload flow/d + "]) + AT_CLEANUP ++ ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02]) ++ ++AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP +-- +2.18.2 + diff --git a/openvswitch.spec b/openvswitch.spec index 7d016ef..aee39dd 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global _hardened_build 1 %define _rundir /run @@ -26,6 +26,7 @@ Patch1: 0001-Fixed-troff-warning-in-versions.patch Patch2: 0002-Run-tbl-preprocessor-in-manpage-check-rule.patch Patch3: 0001-docs-Add-nowarn-region-option-to-tables.patch Patch4: 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch +Patch5: 0001-fix-CVE-2023-3966.patch BuildRequires: gcc gcc-c++ make autoconf automake libtool BuildRequires: systemd-rpm-macros openssl openssl-devel desktop-file-utils @@ -516,6 +517,9 @@ fi %doc NOTICE README.rst NEWS %changelog +* Tue May 07 2024 dash - 2.17.6-3 +- fix:CVE-2023-3966 + * Wed Mar 27 2024 Liwei Ge - 2.17.6-2 - rebuild with python3.11 -- Gitee From 84896bdb8b849711e5faf00fdc633f5f94c6cd97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=AD=96?= Date: Tue, 25 Jun 2024 09:52:23 +0800 Subject: [PATCH 3/3] fix for CVE-2023-5366 --- 0006-fix-CVE-2023-5366.patch | 156 +++++++++++++++++++++++++++++++++++ openvswitch.spec | 8 +- 2 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 0006-fix-CVE-2023-5366.patch diff --git a/0006-fix-CVE-2023-5366.patch b/0006-fix-CVE-2023-5366.patch new file mode 100644 index 0000000..7225feb --- /dev/null +++ b/0006-fix-CVE-2023-5366.patch @@ -0,0 +1,156 @@ +From 78d71878737564700cffd534bf74fb72a971cd0b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E7=8E=8B=E7=AD=96?= +Date: Tue, 25 Jun 2024 09:42:56 +0800 +Subject: [PATCH 2/2] fix CVE-2023-5366 + +--- + lib/odp-util.c | 35 ++++++++++++---------------- + tests/ofproto-macros.at | 15 ++++++++++++ + tests/system-traffic.at | 51 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 81 insertions(+), 20 deletions(-) + +diff --git a/lib/odp-util.c b/lib/odp-util.c +index fac4cf3..5aaa1dc 100644 +--- a/lib/odp-util.c ++++ b/lib/odp-util.c +@@ -6402,13 +6402,11 @@ odp_flow_key_from_flow__(const struct odp_flow_key_parms *parms, + icmpv6_key->icmpv6_code = ntohs(data->tp_dst); + + if (is_nd(flow, NULL) +- /* Even though 'tp_src' and 'tp_dst' are 16 bits wide, ICMP +- * type and code are 8 bits wide. Therefore, an exact match +- * looks like htons(0xff), not htons(0xffff). See +- * xlate_wc_finish() for details. */ +- && (!export_mask || (data->tp_src == htons(0xff) +- && data->tp_dst == htons(0xff)))) { +- struct ovs_key_nd *nd_key; ++ /* Even though 'tp_src' is 16 bits wide, ICMP type is 8 bits ++ * wide. Therefore, an exact match looks like htons(0xff), ++ * not htons(0xffff). See xlate_wc_finish() for details. */ ++ && (!export_mask || data->tp_src == htons(0xff))) { ++ struct ovs_key_nd *nd_key; + nd_key = nl_msg_put_unspec_uninit(buf, OVS_KEY_ATTR_ND, + sizeof *nd_key); + nd_key->nd_target = data->nd_target; +@@ -7122,20 +7120,17 @@ parse_l2_5_onward(const struct nlattr *attrs[OVS_KEY_ATTR_MAX + 1], + flow->arp_sha = nd_key->nd_sll; + flow->arp_tha = nd_key->nd_tll; + if (is_mask) { +- /* Even though 'tp_src' and 'tp_dst' are 16 bits wide, +- * ICMP type and code are 8 bits wide. Therefore, an +- * exact match looks like htons(0xff), not +- * htons(0xffff). See xlate_wc_finish() for details. +- * */ +- if (!is_all_zeros(nd_key, sizeof *nd_key) && +- (flow->tp_src != htons(0xff) || +- flow->tp_dst != htons(0xff))) { ++ /* Even though 'tp_src' is 16 bits wide, ICMP type ++ * is 8 bits wide. Therefore, an exact match looks ++ * like htons(0xff), not htons(0xffff). See ++ * xlate_wc_finish() for details. */ ++ if (!is_all_zeros(nd_key, sizeof *nd_key) && ++ flow->tp_src != htons(0xff)) { + odp_parse_error(&rl, errorp, +- "ICMP (src,dst) masks should be " +- "(0xff,0xff) but are actually " +- "(%#"PRIx16",%#"PRIx16")", +- ntohs(flow->tp_src), +- ntohs(flow->tp_dst)); ++ "ICMP src mask should be " ++ "(0xff) but is actually " ++ "(%#"PRIx16")", ++ ntohs(flow->tp_src)); + return ODP_FIT_ERROR; + } else { + *expected_attrs |= UINT64_C(1) << OVS_KEY_ATTR_ND; +diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at +index b18f0fb..9e32f53 100644 +--- a/tests/ofproto-macros.at ++++ b/tests/ofproto-macros.at +@@ -141,6 +141,21 @@ strip_stats () { + s/bytes:[[0-9]]*/bytes:0/' + } + ++# Strips key32 field from output. ++strip_key32 () { ++ sed 's/key32([[0-9 \/]]*),//' ++} ++ ++# Strips packet-type from output. ++strip_ptype () { ++ sed 's/packet_type(ns=[[0-9]]*,id=[[0-9]]*),//' ++} ++ ++# Strips bare eth from output. ++strip_eth () { ++ sed 's/eth(),//' ++} ++ + # Changes all 'recirc(...)' and 'recirc=...' to say 'recirc()' and + # 'recirc=' respectively. This should make output easier to + # compare. +diff --git a/tests/system-traffic.at b/tests/system-traffic.at +index 89b0d26..f8d9783 100644 +--- a/tests/system-traffic.at ++++ b/tests/system-traffic.at +@@ -1953,6 +1953,57 @@ recirc_id(),in_port(3),eth_type(0x0800),ipv4(frag=no), packets:29, bytes + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([datapath - Neighbor Discovery with loose match]) ++OVS_TRAFFIC_VSWITCHD_START() ++ ++ADD_NAMESPACES(at_ns0, at_ns1) ++ ++ADD_VETH(p0, at_ns0, br0, "2001::1:0:392/64", 36:b1:ee:7c:01:03) ++ADD_VETH(p1, at_ns1, br0, "2001::1:0:9/64", 36:b1:ee:7c:01:02) ++ ++dnl Set up flows for moving icmp ND Solicit around. This should be the ++dnl same for the other ND types. ++AT_DATA([flows.txt], [dnl ++table=0 priority=95 icmp6,icmp_type=136,nd_target=2001::1:0:9 actions=resubmit(,10) ++table=0 priority=95 icmp6,icmp_type=136,nd_target=2001::1:0:392 actions=resubmit(,10) ++table=0 priority=65 actions=resubmit(,20) ++table=10 actions=NORMAL ++table=20 actions=drop ++]) ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) ++ ++dnl Send a mismatching neighbor discovery. ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 f8 16 3e ff fe 04 66 04 fe 80 00 00 00 00 00 00 f8 16 3e ff fe a7 dd 0e 88 00 f1 f2 20 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 01 36 b1 ee 7c 01 03 > /dev/null]) ++ ++dnl Send a matching neighbor discovery. ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 f8 16 3e ff fe 04 66 04 fe 80 00 00 00 00 00 00 f8 16 3e ff fe a7 dd 0e 88 00 fe 5f 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00 01 00 00 03 92 02 01 36 b1 ee 7c 01 03 > /dev/null]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | strip_stats | strip_used | dnl ++ strip_key32 | strip_ptype | strip_eth | strip_recirc | dnl ++ grep ",nd" | sort], [0], [dnl ++recirc_id(),in_port(2),eth(src=36:b1:ee:7c:01:03,dst=36:b1:ee:7c:01:02),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(type=136),nd(target=2001::1:0:392), packets:0, bytes:0, used:never, actions:1,3 ++recirc_id(),in_port(2),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(type=136),nd(target=3000::1), packets:0, bytes:0, used:never, actions:drop ++]) ++ ++OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-flows | grep ",nd" | wc -l | grep -E ^0]) ++ ++dnl Send a matching neighbor discovery. ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 f8 16 3e ff fe 04 66 04 fe 80 00 00 00 00 00 00 f8 16 3e ff fe a7 dd 0e 88 00 fe 5f 20 00 00 00 20 01 00 00 00 00 00 00 00 00 00 01 00 00 03 92 02 01 36 b1 ee 7c 01 03 > /dev/null]) ++ ++dnl Send a mismatching neighbor discovery. ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 f8 16 3e ff fe 04 66 04 fe 80 00 00 00 00 00 00 f8 16 3e ff fe a7 dd 0e 88 00 f1 f2 20 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 01 36 b1 ee 7c 01 03 > /dev/null]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | strip_stats | strip_used | dnl ++ strip_key32 | strip_ptype | strip_eth | strip_recirc | dnl ++ grep ",nd" | sort], [0], [dnl ++recirc_id(),in_port(2),eth(src=36:b1:ee:7c:01:03,dst=36:b1:ee:7c:01:02),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(type=136),nd(target=2001::1:0:392), packets:0, bytes:0, used:never, actions:1,3 ++recirc_id(),in_port(2),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(type=136),nd(target=3000::1), packets:0, bytes:0, used:never, actions:drop ++]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([MPLS]) + + AT_SETUP([mpls - encap header dp-support]) +-- +2.27.0 + diff --git a/openvswitch.spec b/openvswitch.spec index aee39dd..186b65f 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global _hardened_build 1 %define _rundir /run @@ -28,6 +28,9 @@ Patch3: 0001-docs-Add-nowarn-region-option-to-tables.patch Patch4: 0001-Fix-rendering-of-VLAN-Comparison-Chart.patch Patch5: 0001-fix-CVE-2023-3966.patch +#https://github.com/openvswitch/ovs/commit/e235a421fbdb0c70176e8a3bef13bf7e2056cbc1 +Patch6: 0006-fix-CVE-2023-5366.patch + BuildRequires: gcc gcc-c++ make autoconf automake libtool BuildRequires: systemd-rpm-macros openssl openssl-devel desktop-file-utils BuildRequires: python3-devel python3-six python3-setuptools python3-sortedcontainers @@ -517,6 +520,9 @@ fi %doc NOTICE README.rst NEWS %changelog +* Tue Jun 25 2024 wangce - 2.17.6-4 +- fix:fix for CVE-2023-5366 + * Tue May 07 2024 dash - 2.17.6-3 - fix:CVE-2023-3966 -- Gitee