Message ID | 1378539694-3635-1-git-send-email-dborkman@redhat.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Sat, Sep 7, 2013 at 12:41 AM, Daniel Borkmann <dborkman@redhat.com> wrote: > In function __parse_flow_nlattrs(), we check for condition > (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do > not return from this function as in other checks. It seems this > has been forgotten, as otherwise, we could access beyond the > memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. > Hence, a maliciously prepared nla_type from user space could access > beyond this upper limit. > > Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). > > Signed-off-by: Daniel Borkmann <dborkman@redhat.com> > Cc: Andy Zhou <azhou@nicira.com> Yeah, looks like a mistake to me. Acked-by: Jesse Gross <jesse@nicira.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Jesse Gross <jesse@nicira.com> Date: Sat, 7 Sep 2013 22:35:33 -0700 > On Sat, Sep 7, 2013 at 12:41 AM, Daniel Borkmann <dborkman@redhat.com> wrote: >> In function __parse_flow_nlattrs(), we check for condition >> (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do >> not return from this function as in other checks. It seems this >> has been forgotten, as otherwise, we could access beyond the >> memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. >> Hence, a maliciously prepared nla_type from user space could access >> beyond this upper limit. >> >> Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). >> >> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> >> Cc: Andy Zhou <azhou@nicira.com> > > Yeah, looks like a mistake to me. > > Acked-by: Jesse Gross <jesse@nicira.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c index fb36f85..410db90 100644 --- a/net/openvswitch/flow.c +++ b/net/openvswitch/flow.c @@ -1178,6 +1178,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr, if (type > OVS_KEY_ATTR_MAX) { OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n", type, OVS_KEY_ATTR_MAX); + return -EINVAL; } if (attrs & (1 << type)) {
In function __parse_flow_nlattrs(), we check for condition (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do not return from this function as in other checks. It seems this has been forgotten, as otherwise, we could access beyond the memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. Hence, a maliciously prepared nla_type from user space could access beyond this upper limit. Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Andy Zhou <azhou@nicira.com> --- net/openvswitch/flow.c | 1 + 1 file changed, 1 insertion(+)