Overview

File CVE-2024-2182.patch of Package openvswitch.42473

From 4fdfb2ba84dbc05492a4e37efc1e7af62185ed05 Mon Sep 17 00:00:00 2001
From: Frode Nordahl <frode.nordahl@canonical.com>
Date: Thu, 8 Feb 2024 09:48:12 +0100
Subject: [PATCH] controller: Set check_tnl_key for BFD on tunnel ifaces.

The OVS BFD configuration option `check_tnl_key` controls whether
OVS should consider the tunnel key before processing BFD control
messages.  The OVN pipeline design ensures traffic originating
from a logical port will have a non-zero tunnel key.

Always set `check_tnl_key` to "true" to avoid processing of
BFD control messages originating from a logical port.

Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
---
 controller/bfd.c |    3 +++
 tests/ovn.at     |   22 +++++++++++-----------
 2 files changed, 14 insertions(+), 11 deletions(-)

--- a/controller/bfd.c
+++ b/controller/bfd.c
@@ -236,6 +236,9 @@
         if (mult) {
             smap_add(&bfd, "mult", mult);
         }
+        /* `check_tnl_key` must always be set to "true" to avoid processing of
+         * BFD control messages originating from a logical port. */
+        smap_add(&bfd, "check_tnl_key", "true");
     }
 
     /* Enable or disable bfd */
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -11356,7 +11356,7 @@
 for chassis in gw2 hv1 hv2; do
     echo "checking gw1 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 
@@ -11366,7 +11366,7 @@
 for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 
@@ -11375,7 +11375,7 @@
 for chassis in gw1 gw2; do
     echo "checking hv1 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 # make sure BFD is not enabled to hv2, we don't need it
@@ -11389,7 +11389,7 @@
 for chassis in gw1 gw2; do
     echo "checking hv2 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 # make sure BFD is not enabled to hv1, we don't need it
@@ -11431,7 +11431,7 @@
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000"
 ])
 done
 ovn-nbctl --wait=hv set NB_Global . options:"bfd-min-tx"=1500
@@ -11439,7 +11439,7 @@
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500"
 ])
 done
 ovn-nbctl remove NB_Global . options "bfd-min-rx"
@@ -11448,7 +11448,7 @@
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_tx=1500 mult=5"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=5"
 ])
 done
 
@@ -11592,7 +11592,7 @@
 for chassis in gw2 hv1 hv2; do
     echo "checking gw1 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 
@@ -11601,7 +11601,7 @@
 for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 
@@ -11610,7 +11610,7 @@
 for chassis in gw1 gw2; do
     echo "checking hv1 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 # make sure BFD is not enabled to hv2, we don't need it
@@ -11623,7 +11623,7 @@
 for chassis in gw1 gw2; do
     echo "checking hv2 -> $chassis"
     AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0],[0],
-             [[enable=true
+             [[check_tnl_key=true enable=true
 ]])
 done
 # make sure BFD is not enabled to hv1, we don't need it
openSUSE Build Service is sponsored by
Places