new file mode 100644

@@ -0,0 +1,174 @@

+diff -dupr a/lib/ofp-util.c b/lib/ofp-util.c

+--- a/lib/ofp-util.c	2017-02-23 23:26:16.769982618 -0800

+@@ -8690,6 +8690,7 @@ ofputil_pull_ofp11_buckets(struct ofpbuf

+         if (!ob) {

+             VLOG_WARN_RL(&bad_ofmsg_rl, "buckets end with %"PRIuSIZE" leftover bytes",

+                          buckets_length);

++            ofputil_bucket_list_destroy(buckets);

+             return OFPERR_OFPGMFC_BAD_BUCKET;

+         }

+ 

+@@ -8697,11 +8698,13 @@ ofputil_pull_ofp11_buckets(struct ofpbuf

+         if (ob_len < sizeof *ob) {

+             VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "

+                          "%"PRIuSIZE" is not valid", ob_len);

++            ofputil_bucket_list_destroy(buckets);

+             return OFPERR_OFPGMFC_BAD_BUCKET;

+         } else if (ob_len > buckets_length) {

+             VLOG_WARN_RL(&bad_ofmsg_rl, "OpenFlow message bucket length "

+                          "%"PRIuSIZE" exceeds remaining buckets data size %"PRIuSIZE,

+                          ob_len, buckets_length);

++            ofputil_bucket_list_destroy(buckets);

+             return OFPERR_OFPGMFC_BAD_BUCKET;

+         }

+         buckets_length -= ob_len;

+@@ -9093,8 +9096,13 @@ ofputil_decode_ofp15_group_desc_reply(st

+      * Such properties are valid for group desc replies so

+      * claim that the group mod command is OFPGC15_ADD to

+      * satisfy the check in parse_group_prop_ntr_selection_method() */

+-    return parse_ofp15_group_properties(msg, gd->type, OFPGC15_ADD, &gd->props,

+-                                        length - sizeof *ogds - bucket_list_len);

++    error = parse_ofp15_group_properties(

++        msg, gd->type, OFPGC15_ADD, &gd->props,

++        length - sizeof *ogds - bucket_list_len);

++    if (error) {

++        ofputil_bucket_list_destroy(&gd->buckets);

++    }

++    return error;

+ }

+ 

+ /* Converts a group description reply in 'msg' into an abstract

+@@ -9331,6 +9339,7 @@ ofputil_pull_ofp11_group_mod(struct ofpb

+         && gm->command == OFPGC11_DELETE

+         && !ovs_list_is_empty(&gm->buckets)) {

+         error = OFPERR_OFPGMFC_INVALID_GROUP;

++        ofputil_bucket_list_destroy(&gm->buckets);

+     }

+ 

+     return error;

+@@ -9388,45 +9397,17 @@ ofputil_pull_ofp15_group_mod(struct ofpb

+         return error;

+     }

+ 

+-    return parse_ofp15_group_properties(msg, gm->type, gm->command, &gm->props,

+-                                        msg->size);

++    error = parse_ofp15_group_properties(msg, gm->type, gm->command,

++                                         &gm->props, msg->size);

++    if (error) {

++        ofputil_bucket_list_destroy(&gm->buckets);

++    }

++    return error;

+ }

+ 

+-/* Converts OpenFlow group mod message 'oh' into an abstract group mod in

+- * 'gm'.  Returns 0 if successful, otherwise an OpenFlow error code. */

+-enum ofperr

+-ofputil_decode_group_mod(const struct ofp_header *oh,

+-                         struct ofputil_group_mod *gm)

++static enum ofperr

++ofputil_check_group_mod(const struct ofputil_group_mod *gm)

+ {

+-    ofputil_init_group_properties(&gm->props);

+-

+-    enum ofp_version ofp_version = oh->version;

+-    struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));

+-    ofpraw_pull_assert(&msg);

+-

+-    enum ofperr err;

+-    switch (ofp_version)

+-    {

+-    case OFP11_VERSION:

+-    case OFP12_VERSION:

+-    case OFP13_VERSION:

+-    case OFP14_VERSION:

+-        err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);

+-        break;

+-

+-    case OFP15_VERSION:

+-    case OFP16_VERSION:

+-        err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);

+-        break;

+-

+-    case OFP10_VERSION:

+-    default:

+-        OVS_NOT_REACHED();

+-    }

+-    if (err) {

+-        return err;

+-    }

+-

+     switch (gm->type) {

+     case OFPGT11_INDIRECT:

+         if (gm->command != OFPGC11_DELETE

+@@ -9473,6 +9473,48 @@ ofputil_check_group_mod(const struct ofputil_group_mod *gm)

+     return 0;

+ }

+ 

++/* Converts OpenFlow group mod message 'oh' into an abstract group mod in

++ * 'gm'.  Returns 0 if successful, otherwise an OpenFlow error code. */

++enum ofperr

++ofputil_decode_group_mod(const struct ofp_header *oh,

++                         struct ofputil_group_mod *gm)

++{

++    ofputil_init_group_properties(&gm->props);

++

++    enum ofp_version ofp_version = oh->version;

++    struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length));

++    ofpraw_pull_assert(&msg);

++

++    enum ofperr err;

++    switch (ofp_version)

++    {

++    case OFP11_VERSION:

++    case OFP12_VERSION:

++    case OFP13_VERSION:

++    case OFP14_VERSION:

++        err = ofputil_pull_ofp11_group_mod(&msg, ofp_version, gm);

++        break;

++

++    case OFP15_VERSION:

++    case OFP16_VERSION:

++        err = ofputil_pull_ofp15_group_mod(&msg, ofp_version, gm);

++        break;

++

++    case OFP10_VERSION:

++    default:

++        OVS_NOT_REACHED();

++    }

++    if (err) {

++        return err;

++    }

++

++    err = ofputil_check_group_mod(gm);

++    if (err) {

++        ofputil_uninit_group_mod(gm);

++    }

++    return err;

++}

++

+ /* Destroys 'bms'. */

+ void

+ ofputil_encode_bundle_msgs(struct ofputil_bundle_msg *bms, size_t n_bms,

+@@ -10020,14 +10043,21 @@ ofputil_decode_bundle_add(const struct o

+                           enum ofptype *typep)

+ {

+     struct ofpbuf b = ofpbuf_const_initializer(oh, ntohs(oh->length));

++

++    /* Pull the outer ofp_header. */

+     enum ofpraw raw = ofpraw_pull_assert(&b);

+     ovs_assert(raw == OFPRAW_OFPT14_BUNDLE_ADD_MESSAGE

+                || raw == OFPRAW_ONFT13_BUNDLE_ADD_MESSAGE);

+ 

++    /* Pull the bundle_ctrl header. */

+     const struct ofp14_bundle_ctrl_msg *m = ofpbuf_pull(&b, sizeof *m);

+     msg->bundle_id = ntohl(m->bundle_id);

+     msg->flags = ntohs(m->flags);

+ 

++    /* Pull the inner ofp_header. */

++    if (b.size < sizeof(struct ofp_header)) {

++        return OFPERR_OFPBFC_MSG_BAD_LEN;

++    }

+     msg->msg = b.data;

+     if (msg->msg->version != oh->version) {

+         return OFPERR_OFPBFC_BAD_VERSION;

@@ -1,7 +1,7 @@

 Summary:        Open vSwitch daemon/database/utilities

 Name:           openvswitch

 Version:        2.6.1

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        ASL 2.0 and LGPLv2+

 URL:            http://www.openvswitch.org/

 Group:          System Environment/Daemons

@@ -11,7 +11,8 @@ Distribution:   Photon

 Source0:        http://openvswitch.org/releases/%{name}-%{version}.tar.gz

 Patch0:         ovs-CVE-2017-9264.patch

 Patch1:         OVS-CVE-2017-9263.patch

-%define sha1 openvswitch=2865fe03b3906b5aea984102c4b65772b5dd7450

+Patch2:         OVS-CVE-2017-14970.patch

+%define sha1    openvswitch=2865fe03b3906b5aea984102c4b65772b5dd7450

 BuildRequires:  gcc >= 4.0.0

 BuildRequires:  libcap-ng

@@ -44,9 +45,9 @@ Open vSwitch provides standard network bridging functions and

 support for the OpenFlow protocol for remote per-flow control of

 traffic.

-%package	devel

-Summary:	Header and development files for openvswitch

-Requires:	%{name} = %{version}

+%package        devel

+Summary:        Header and development files for openvswitch

+Requires:       %{name} = %{version}

 %description    devel

 openvswitch-devel package contains header files and libs.

@@ -60,6 +61,7 @@ It contains the documentation and manpages for openvswitch.

 %setup -q

 %patch0 -p1

 %patch1 -p0

+%patch2 -p1

 %build

 ./configure \

@@ -141,19 +143,21 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 /usr/share/man/man8/vtep-ctl.8.gz

 %changelog

-*	Wed Oct 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 2.6.1-4

--	Fix CVE-2017-9263

-*	Mon Jun 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-3

--	Fix CVE-2017-9264

-*	Fri Feb 10 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-2

--	Build ovs shared library

-*	Wed Nov 16 2016 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-1

--	Update to openvswitch 2.6.1

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.0-3

--	GA - Bump release of all rpms

-*       Sat Oct 31 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.0-2

--       OVS requires libatomic.so.1 provided by gcc.

-*       Mon Oct 12 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.0-1

--       Update to OVS v2.4.0

-*       Fri May 29 2015 Kumar Kaushik <kaushikk@vmware.com> 2.3.1-1

--       Initial build. First version

+*   Thu Nov 09 2017 Xiaolin Li <xiaolinl@vmware.com> 2.6.1-5

+-   Fix CVE-2017-14970

+*   Wed Oct 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 2.6.1-4

+-   Fix CVE-2017-9263

+*   Mon Jun 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-3

+-   Fix CVE-2017-9264

+*   Fri Feb 10 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-2

+-   Build ovs shared library

+*   Wed Nov 16 2016 Vinay Kulkarni <kulkarniv@vmware.com> 2.6.1-1

+-   Update to openvswitch 2.6.1

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.0-3

+-   GA - Bump release of all rpms

+*   Sat Oct 31 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.0-2

+-   OVS requires libatomic.so.1 provided by gcc.

+*   Mon Oct 12 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.0-1

+-   Update to OVS v2.4.0

+*   Fri May 29 2015 Kumar Kaushik <kaushikk@vmware.com> 2.3.1-1

+-   Initial build. First version