From patchwork Thu Jun 23 09:16:08 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Boca <pboca@cloudbasesolutions.com>
X-Patchwork-Id: 639554
X-Patchwork-Delegate: guru@ovn.org
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (archives.nicira.com [96.126.127.54])
	by ozlabs.org (Postfix) with ESMTP id 3rZwsv2ffpz9t0X
	for <incoming@patchwork.ozlabs.org>;
	Thu, 23 Jun 2016 19:20:19 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 9868710937;
	Thu, 23 Jun 2016 02:20:18 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5])
	by archives.nicira.com (Postfix) with ESMTPS id 747F2108E1
	for <dev@openvswitch.org>; Thu, 23 Jun 2016 02:20:17 -0700 (PDT)
Received: from bar6.cudamail.com (localhost [127.0.0.1])
	by mx3v3.cudamail.com (Postfix) with ESMTPS id 0CD4D161BC9
	for <dev@openvswitch.org>; Thu, 23 Jun 2016 03:20:17 -0600 (MDT)
X-ASG-Debug-ID: 1466673616-0b32375af0700c0001-byXFYA
Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar6.cudamail.com
	with ESMTP id ZHJwd9V5Zp5GszU7 (version=TLSv1.2
	cipher=ECDHE-RSA-AES256-GCM-SHA384
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Thu, 23 Jun 2016 03:20:16 -0600 (MDT)
X-Barracuda-Envelope-From: pboca@cloudbasesolutions.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1
Received: from unknown (HELO cbssmtp1.cloudbase.local) (91.232.152.5)
	by mx1-pf1.cudamail.com with SMTP; 23 Jun 2016 09:20:15 -0000
Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at
	cloudbasesolutions.com
	designates 91.232.152.5 as permitted sender)
X-Barracuda-Apparent-Source-IP: 91.232.152.5
X-Barracuda-RBL-IP: 91.232.152.5
Received: from localhost (localhost [127.0.0.1])
	by cbssmtp1.cloudbase.local (Postfix) with ESMTP id 7885640C28
	for <dev@openvswitch.org>; Thu, 23 Jun 2016 12:20:14 +0300 (EEST)
X-Virus-Scanned: amavisd-new at cloudbasesolutions.com
Received: from cbssmtp1.cloudbase.local ([127.0.0.1])
	by localhost (cbssmtp1.cloudbase.local [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id EziLKOj_4O-l for <dev@openvswitch.org>;
	Thu, 23 Jun 2016 12:19:54 +0300 (EEST)
Received: from CBSEX1.cloudbase.local (unknown [10.77.78.3])
	by cbssmtp1.cloudbase.local (Postfix) with ESMTP id 052B441194
	for <dev@openvswitch.org>; Thu, 23 Jun 2016 12:16:10 +0300 (EEST)
Received: from CBSEX1.cloudbase.local ([10.77.78.3]) by
	CBSEX1.cloudbase.local ([10.77.78.3]) with mapi id 14.03.0301.000;
	Thu, 23 Jun 2016 11:16:09 +0200
X-CudaMail-Envelope-Sender: pboca@cloudbasesolutions.com
From: Paul Boca <pboca@cloudbasesolutions.com>
To: "dev@openvswitch.org" <dev@openvswitch.org>
X-CudaMail-MID: CM-E1-622003630
X-CudaMail-DTE: 062316
X-CudaMail-Originating-IP: 91.232.152.5
Thread-Topic: [PATCH V5] datapath-windows: Handle possible NULL pointer
	dereference in STT
X-ASG-Orig-Subj: [##CM-E1-622003630##][PATCH V5] datapath-windows: Handle
	possible NULL pointer dereference in STT
Thread-Index: AQHRzS/glk+O2w11wUOzLUf90Nd1Gw==
Date: Thu, 23 Jun 2016 09:16:08 +0000
Message-ID: <1466673370-31896-1-git-send-email-pboca@cloudbasesolutions.com>
Accept-Language: en-US, it-IT
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.77.78.1]
MIME-Version: 1.0
X-Barracuda-Connect: UNKNOWN[192.168.24.1]
X-Barracuda-Start-Time: 1466673616
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.10
X-Barracuda-Spam-Status: No, SCORE=0.10 using global scores of TAG_LEVEL=3.5
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0
	tests=RDNS_NONE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.30686
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS
Subject: [ovs-dev] [PATCH V5] datapath-windows: Handle possible NULL pointer
	dereference in STT
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Check if OvsAllocatememoryWithTag succeeded or not.
In case of failure propagate cleanup and return.

Signed-off-by: Paul-Daniel Boca <pboca@cloudbasesolutions.com>
Acked-by: Sairam Venugopal <vsairam@vmware.com>
---
V2: Checked also NdisGetDataBuffer and MmGetSystemAddressForMdlSafe
      if they return NULL and handle the error
V3: Don't deallocate and remove failed packets on STT reassembly.
      They will be retransmited by sender or removed by the cleanup thread.
V4: Removed comment that doesn't apply anymore.
V5: Added Acked-by. This was already acked by Sairam
---
 datapath-windows/ovsext/Stt.c | 52 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 43 insertions(+), 9 deletions(-)

diff --git a/datapath-windows/ovsext/Stt.c b/datapath-windows/ovsext/Stt.c
index 0bac5f2..93bc503 100644
--- a/datapath-windows/ovsext/Stt.c
+++ b/datapath-windows/ovsext/Stt.c
@@ -191,6 +191,10 @@ OvsDoEncapStt(POVS_VPORT_ENTRY vport,
 
     bufferStart = (PUINT8)MmGetSystemAddressForMdlSafe(curMdl,
                                                        LowPagePriority);
+    if (bufferStart == NULL) {
+        status = NDIS_STATUS_RESOURCES;
+        goto ret_error;
+    }
     bufferStart += NET_BUFFER_CURRENT_MDL_OFFSET(curNb);
 
     if (layers->isIPv4) {
@@ -402,6 +406,9 @@ OvsValidateTCPChecksum(PNET_BUFFER_LIST curNbl, PNET_BUFFER curNb)
 
     EthHdr *eth = (EthHdr *)NdisGetDataBuffer(curNb, sizeof(EthHdr),
                                               NULL, 1, 0);
+    if (eth == NULL) {
+        return NDIS_STATUS_RESOURCES;
+    }
 
     if (eth->Type == ntohs(NDIS_ETH_TYPE_IPV4)) {
         IPHdr *ip = (IPHdr *)((PCHAR)eth + sizeof *eth);
@@ -641,6 +648,9 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
         POVS_STT_PKT_ENTRY entry;
         entry = OvsAllocateMemoryWithTag(sizeof(OVS_STT_PKT_ENTRY),
                                          OVS_STT_POOL_TAG);
+        if (entry == NULL) {
+            goto handle_error;
+        }
         RtlZeroMemory(entry, sizeof (OVS_STT_PKT_ENTRY));
 
         /* Update Key, timestamp and recvdLen */
@@ -663,6 +673,10 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
         entry->allocatedLen = innerPacketLen;
         entry->packetBuf = OvsAllocateMemoryWithTag(innerPacketLen,
                                                     OVS_STT_POOL_TAG);
+        if (entry->packetBuf == NULL) {
+            OvsFreeMemoryWithTag(entry, OVS_STT_POOL_TAG);
+            goto handle_error;
+        }
         if (OvsGetPacketBytes(curNbl, fragmentLength, startOffset,
                               entry->packetBuf + offset) == NULL) {
             OVS_LOG_ERROR("Error when obtaining bytes from Packet");
@@ -677,9 +691,6 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
             // don't copy more than it is allocated
             goto handle_error;
         }
-        /* Add to recieved length to identify if this is the last fragment */
-        pktFragEntry->recvdLen += fragmentLength;
-        lastPacket = (pktFragEntry->recvdLen == innerPacketLen);
 
         if (segOffset == 0) {
             pktFragEntry->sttHdr = *sttHdr;
@@ -694,6 +705,10 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
             OVS_LOG_ERROR("Error when obtaining bytes from Packet");
             goto handle_error;
         }
+
+        /* Add to received length to identify if this is the last fragment */
+        pktFragEntry->recvdLen += fragmentLength;
+        lastPacket = (pktFragEntry->recvdLen == innerPacketLen);
     }
 
 handle_error:
@@ -737,7 +752,7 @@ handle_error:
 *----------------------------------------------------------------------------
 */
 NDIS_STATUS
-OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl, 
+OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl,
                     SttHdr *sttHdr,
                     OVS_PACKET_HDR_INFO *layers)
 {
@@ -797,6 +812,9 @@ OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl,
 
         buf = (PUINT8)MmGetSystemAddressForMdlSafe(curMdl,
             LowPagePriority);
+        if (buf == NULL) {
+            return NDIS_STATUS_RESOURCES;
+        }
         buf += NET_BUFFER_CURRENT_MDL_OFFSET(curNb);
 
         // apply pseudo checksum on extracted packet
@@ -876,7 +894,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
 
     ipHdr = NdisGetDataBuffer(curNb, sizeof *ipHdr, (PVOID) &ipBuf,
                                                     1 /*no align*/, 0);
-    ASSERT(ipHdr);
+    if (ipHdr == NULL) {
+        return NDIS_STATUS_RESOURCES;
+    }
 
     TCPHdr *tcp = (TCPHdr *)((PCHAR)ipHdr + ipHdr->ihl * 4);
 
@@ -906,6 +926,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
         /* STT Header */
         sttHdr = NdisGetDataBuffer(curNb, sizeof *sttHdr,
                                    (PVOID) &sttBuf, 1 /*no align*/, 0);
+        if (sttHdr == NULL) {
+            return NDIS_STATUS_RESOURCES;
+        }
         /* Skip stt header, DataOffset points to inner pkt now. */
         hdrLen = STT_HDR_LEN;
         NdisAdvanceNetBufferDataStart(curNb, hdrLen, FALSE, NULL);
@@ -922,8 +945,8 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
 
     status = NdisRetreatNetBufferDataStart(curNb, advanceCnt, 0, NULL);
     if (status != NDIS_STATUS_SUCCESS) {
-        OvsCompleteNBL(switchContext, *newNbl, TRUE);
-        return NDIS_STATUS_FAILURE;
+        status = NDIS_STATUS_FAILURE;
+        goto dropNbl;
     }
 
     ASSERT(sttHdr);
@@ -942,8 +965,8 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
     if (0 != ipHdr->tos) {
         status = OvsExtractLayers(*newNbl, &layers);
         if (status != NDIS_STATUS_SUCCESS) {
-            OvsCompleteNBL(switchContext, *newNbl, TRUE);
-            return NDIS_STATUS_FAILURE;
+            status = NDIS_STATUS_FAILURE;
+            goto dropNbl;
         }
 
         if (layers.isIPv4) {
@@ -966,6 +989,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
                 /* fix IP checksum */
                 innerIpHdr->check = IPChecksum((UINT8 *)innerIpHdr,
                                                 innerIpHdr->ihl * 4, 0);
+            } else {
+                status = NDIS_STATUS_RESOURCES;
+                goto dropNbl;
             }
         } else if (layers.isIPv6) {
             IPv6Hdr ipv6_storage;
@@ -980,6 +1006,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
                                     | ((innerIpv6Hdr->flow_lbl[0] & 0x3) << 2);
                 innerIpv6Hdr->flow_lbl[0] = (innerIpv6Hdr->flow_lbl[0] & 0xF)
                                              | ((ipHdr->tos & 0xF) << 4);
+            } else {
+                status = NDIS_STATUS_RESOURCES;
+                goto dropNbl;
             }
         }
     }
@@ -998,4 +1027,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT switchContext,
     OvsDecapSetOffloads(newNbl, sttHdr, &layers);
 
     return NDIS_STATUS_SUCCESS;
+
+dropNbl:
+    OvsCompleteNBL(switchContext, *newNbl, TRUE);
+    *newNbl = NULL;
+    return status;
 }