diff mbox

[ovs-dev] datapath-windows: Handle possible NULL pointer dereference in STT

Message ID 1465903586-17236-1-git-send-email-pboca@cloudbasesolutions.com
State Superseded
Headers show

Commit Message

Paul Boca June 14, 2016, 11:26 a.m. UTC 
Check if OvsAllocatememoryWithTag succeeded or not.
In case of failure propagate cleanup and return.

Signed-off-by: Paul-Daniel Boca <pboca@cloudbasesolutions.com>
---
 datapath-windows/ovsext/Stt.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Alin Serdean June 14, 2016, 4:02 p.m. UTC | #1 
I looked briefly over stt.c and there is a list of issues to be fixed if you want to make part of this patch:

NdisGetDataBuffer can be null and should be checked (https://msdn.microsoft.com/en-us/library/windows/hardware/ff562631(v=vs.85).aspx )
" The return value can also be NULL due to a low resource condition where a data buffer cannot be mapped. This may occur even if the data is contiguous or the Storage parameter is non-NULL."
	https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L403
	https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L877
	https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L907

https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L972-L983 needs an else branch
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L957-L969 needs an else branch

MmGetSystemAddressForMdlSafe (https://msdn.microsoft.com/en-us/library/windows/hardware/ff554559(v=vs.85).aspx) should be checked:
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L192
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L798

https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L666-L670
in the case it fails entry->packetBuf, entry should be freed

I think if 
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L691-L696
fails 
we should free pktFragEntry->packetBuf and pktFragEntry.

Also comment inlined.

Thanks,
Alin.

> -----Mesaj original-----

> De la: dev [mailto:dev-bounces@openvswitch.org] În numele Paul Boca

> Trimis: Tuesday, June 14, 2016 2:27 PM

> Către: dev@openvswitch.org

> Subiect: [ovs-dev] [PATCH] datapath-windows: Handle possible NULL pointer

> dereference in STT

> 

> Check if OvsAllocatememoryWithTag succeeded or not.

> In case of failure propagate cleanup and return.

> 

> Signed-off-by: Paul-Daniel Boca <pboca@cloudbasesolutions.com>

> ---

>  datapath-windows/ovsext/Stt.c | 7 +++++++

>  1 file changed, 7 insertions(+)

> 

> diff --git a/datapath-windows/ovsext/Stt.c b/datapath-

> windows/ovsext/Stt.c index 0bac5f2..e63211d 100644

> --- a/datapath-windows/ovsext/Stt.c

> +++ b/datapath-windows/ovsext/Stt.c

> @@ -641,6 +641,9 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT

> switchContext,

>          POVS_STT_PKT_ENTRY entry;

>          entry = OvsAllocateMemoryWithTag(sizeof(OVS_STT_PKT_ENTRY),

>                                           OVS_STT_POOL_TAG);

> +        if (NULL == entry) {

> +            goto handle_error;

> +        }

>          RtlZeroMemory(entry, sizeof (OVS_STT_PKT_ENTRY));

> 

>          /* Update Key, timestamp and recvdLen */ @@ -663,6 +666,10 @@

> OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,

>          entry->allocatedLen = innerPacketLen;

>          entry->packetBuf = OvsAllocateMemoryWithTag(innerPacketLen,

>                                                      OVS_STT_POOL_TAG);

> +        if (NULL == entry->packetBuf) {

> +            OvsFreeMemoryWithTag(pktFragEntry, OVS_STT_POOL_TAG);

[Alin Gabriel Serdean: ] s/pktFragEntry/entry
> +            goto handle_error;

> +        }

>          if (OvsGetPacketBytes(curNbl, fragmentLength, startOffset,

>                                entry->packetBuf + offset) == NULL) {

>              OVS_LOG_ERROR("Error when obtaining bytes from Packet");

> --

> 2.7.2.windows.1

> _______________________________________________

> dev mailing list

> dev@openvswitch.org

> http://openvswitch.org/mailman/listinfo/dev
diff mbox

Patch

diff --git a/datapath-windows/ovsext/Stt.c b/datapath-windows/ovsext/Stt.c
index 0bac5f2..e63211d 100644
--- a/datapath-windows/ovsext/Stt.c
+++ b/datapath-windows/ovsext/Stt.c
@@ -641,6 +641,9 @@  OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
         POVS_STT_PKT_ENTRY entry;
         entry = OvsAllocateMemoryWithTag(sizeof(OVS_STT_PKT_ENTRY),
                                          OVS_STT_POOL_TAG);
+        if (NULL == entry) {
+            goto handle_error;
+        }
         RtlZeroMemory(entry, sizeof (OVS_STT_PKT_ENTRY));
 
         /* Update Key, timestamp and recvdLen */
@@ -663,6 +666,10 @@  OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
         entry->allocatedLen = innerPacketLen;
         entry->packetBuf = OvsAllocateMemoryWithTag(innerPacketLen,
                                                     OVS_STT_POOL_TAG);
+        if (NULL == entry->packetBuf) {
+            OvsFreeMemoryWithTag(pktFragEntry, OVS_STT_POOL_TAG);
+            goto handle_error;
+        }
         if (OvsGetPacketBytes(curNbl, fragmentLength, startOffset,
                               entry->packetBuf + offset) == NULL) {
             OVS_LOG_ERROR("Error when obtaining bytes from Packet");