| Message ID | 20180718161216.27820-3-sthemmin@microsoft.com |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | openvswitch tests for nla_nest_start | expand |
On Wed, Jul 18, 2018 at 9:12 AM, Stephen Hemminger <stephen@networkplumber.org> wrote: > The call to nla_nest_start when forming packet messages can lead to a NULL > return so it's possible for attr to become NULL and we can potentially > get a NULL pointer dereference on attr. Fix this by checking for > a NULL return. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200537 > Fixes: 8f0aad6f35f7 ("openvswitch: Extend packet attribute for egress tunnel info") > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > --- > net/openvswitch/datapath.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c > index 0f5ce77460d4..93c3eb635827 100644 > --- a/net/openvswitch/datapath.c > +++ b/net/openvswitch/datapath.c > @@ -460,6 +460,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, > > if (upcall_info->egress_tun_info) { > nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); > + if (!nla) { > + err = -EMSGSIZE; > + goto out; > + } > err = ovs_nla_put_tunnel_info(user_skb, > upcall_info->egress_tun_info); > BUG_ON(err); > @@ -468,6 +472,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, > > if (upcall_info->actions_len) { > nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); > + if (!nla) { > + err = -EMSGSIZE; > + goto out; > + } > err = ovs_nla_put_actions(upcall_info->actions, > upcall_info->actions_len, > user_skb); Acked-by: Pravin B Shelar <pshelar@ovn.org> Thanks.
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c index 0f5ce77460d4..93c3eb635827 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c @@ -460,6 +460,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, if (upcall_info->egress_tun_info) { nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); + if (!nla) { + err = -EMSGSIZE; + goto out; + } err = ovs_nla_put_tunnel_info(user_skb, upcall_info->egress_tun_info); BUG_ON(err); @@ -468,6 +472,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, if (upcall_info->actions_len) { nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); + if (!nla) { + err = -EMSGSIZE; + goto out; + } err = ovs_nla_put_actions(upcall_info->actions, upcall_info->actions_len, user_skb);
The call to nla_nest_start when forming packet messages can lead to a NULL return so it's possible for attr to become NULL and we can potentially get a NULL pointer dereference on attr. Fix this by checking for a NULL return. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200537 Fixes: 8f0aad6f35f7 ("openvswitch: Extend packet attribute for egress tunnel info") Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- net/openvswitch/datapath.c | 8 ++++++++ 1 file changed, 8 insertions(+)