Skip to content

Commit

Permalink
datapath: Avoid OOB read when parsing flow nlattrs
Browse files Browse the repository at this point in the history 
Upstream commit:
    commit 04a4af334b971814eedf4e4a413343ad3287d9a9
    Author: Ross Lagerwall <[email protected]>
    Date:   Mon Jan 14 09:16:56 2019 +0000

    openvswitch: Avoid OOB read when parsing flow nlattrs

    For nested and variable attributes, the expected length of an attribute
    is not known and marked by a negative number.  This results in an OOB
    read when the expected length is later used to check if the attribute is
    all zeros. Fix this by using the actual length of the attribute rather
    than the expected length.

    Signed-off-by: Ross Lagerwall <[email protected]>
    Acked-by: Pravin B Shelar <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

Cc: Ross Lagerwall <[email protected]>
Signed-off-by: Greg Rose <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>
  • Loading branch information
@rosslagerwall @blp
rosslagerwall authored and blp committed Feb 4, 2019
1 parent 7c84d7f commit 29478e6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion datapath/flow_netlink.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -502,7 +502,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
return -EINVAL;
}

if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
attrs |= 1ULL << type;
a[type] = nla;
}
Expand Down

0 comments on commit 29478e6

Please sign in to comment.