Message ID | 1500997258-30113-1-git-send-email-gvrose8192@gmail.com |
---|---|
State | Accepted |
Headers | show |
On 25 July 2017 at 08:40, Greg Rose <gvrose8192@gmail.com> wrote: > Upstream commit: > commit 69ec932e364b1ba9c3a2085fe96b76c8a3f71e7c > Author: Liping Zhang <zlpnobody@gmail.com> > Date: Sun Jul 23 17:52:23 2017 +0800 > > openvswitch: fix potential out of bound access in parse_ct > > Before the 'type' is validated, we shouldn't use it to fetch the > ovs_ct_attr_lens's minlen and maxlen, else, out of bound access > may happen. > > Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") > Signed-off-by: Liping Zhang <zlpnobody@gmail.com> > Acked-by: Pravin B Shelar <pshelar@ovn.org> > Signed-off-by: David S. Miller <davem@davemloft.net> > > Pick up an upstream bug fix. > > Fixes: a94ebc39996b ("datapath: Add conntrack action") > Signed-off-by: Greg Rose <gvrose8192@gmail.com> > --- > V2 - Add appropriate "Fixes" tag for OOT repository Thanks, I applied this to master and branch-2.[567].
diff --git a/datapath/conntrack.c b/datapath/conntrack.c index bba9bfe..b645ab1 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1356,8 +1356,8 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, nla_for_each_nested(a, attr, rem) { int type = nla_type(a); - int maxlen = ovs_ct_attr_lens[type].maxlen; - int minlen = ovs_ct_attr_lens[type].minlen; + int maxlen; + int minlen; if (type > OVS_CT_ATTR_MAX) { OVS_NLERR(log, @@ -1365,6 +1365,9 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info, type, OVS_CT_ATTR_MAX); return -EINVAL; } + + maxlen = ovs_ct_attr_lens[type].maxlen; + minlen = ovs_ct_attr_lens[type].minlen; if (nla_len(a) < minlen || nla_len(a) > maxlen) { OVS_NLERR(log, "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",