Linux Kernel Open vSwitch MPLS Action Payload Length Validation Vulnerability

A vulnerability exists in the Linux kernel's Open vSwitch component, specifically in how it handles MPLS (Multiprotocol Label Switching) action payloads for SET and SET_MASKED actions. The issue arises because the validation function accepted MPLS payloads as variable-sized, while Open vSwitch requires a fixed size. This vulnerability is present in the Linux kernel stable tree.

Impact

This vulnerability could lead to improper handling of MPLS action payloads, potentially allowing for incorrect flow management or manipulation within Open vSwitch, which could be exploited in a network context.

Reproduction

The vulnerability can be reproduced by sending an Open vSwitch flow modification command that includes a MPLS action payload with a variable size, using the OVS_KEY_ATTR_MPLS attribute. The validate_set function will incorrectly accept this payload, leading to the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux kernel official website.