| Message ID | 20180815032025.25088-1-jasonwood2031@gmail.com |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | [ovs-dev] conntrack.c: Add missing return value check to prevent nptr dereference. | expand |
Jiecheng Wu <jasonwood2031@gmail.com> writes: > Function ovs_ct_limit_cmd_get() defined in net/openvswitch/conntrack.c may cause a null pointer dereference as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() later where the pointer is dereferenced. > --- > net/openvswitch/conntrack.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c > index 284aca2..dad0456 100644 > --- a/net/openvswitch/conntrack.c > +++ b/net/openvswitch/conntrack.c > @@ -2132,6 +2132,10 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) > return PTR_ERR(reply); > > nla_reply = nla_nest_start(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); > + if (!nla_reply) { > + err = -ENOMEM; > + goto exit_err; > + } > > if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { > err = ovs_ct_limit_get_zone_limit( This patch is appropriate to the netdev@vger.kernel.org mailing list. A version was submitted already by Stephen Hemminger (Cc'd). See: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349816.html Looks like these were not accepted per David's response at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349929.html Stephen, are you going to resubmit your patches to netdev?
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 284aca2..dad0456 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -2132,6 +2132,10 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) return PTR_ERR(reply); nla_reply = nla_nest_start(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); + if (!nla_reply) { + err = -ENOMEM; + goto exit_err; + } if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) { err = ovs_ct_limit_get_zone_limit(