| From foo@baz Tue Aug 8 16:51:58 PDT 2017 |
| From: Liping Zhang <zlpnobody@gmail.com> |
| Date: Sun, 23 Jul 2017 17:52:23 +0800 |
| Subject: openvswitch: fix potential out of bound access in parse_ct |
| |
| From: Liping Zhang <zlpnobody@gmail.com> |
| |
| |
| [ Upstream commit 69ec932e364b1ba9c3a2085fe96b76c8a3f71e7c ] |
| |
| Before the 'type' is validated, we shouldn't use it to fetch the |
| ovs_ct_attr_lens's minlen and maxlen, else, out of bound access |
| may happen. |
| |
| Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") |
| Signed-off-by: Liping Zhang <zlpnobody@gmail.com> |
| Acked-by: Pravin B Shelar <pshelar@ovn.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/openvswitch/conntrack.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/net/openvswitch/conntrack.c |
| +++ b/net/openvswitch/conntrack.c |
| @@ -577,8 +577,8 @@ static int parse_ct(const struct nlattr |
| |
| nla_for_each_nested(a, attr, rem) { |
| int type = nla_type(a); |
| - int maxlen = ovs_ct_attr_lens[type].maxlen; |
| - int minlen = ovs_ct_attr_lens[type].minlen; |
| + int maxlen; |
| + int minlen; |
| |
| if (type > OVS_CT_ATTR_MAX) { |
| OVS_NLERR(log, |
| @@ -586,6 +586,9 @@ static int parse_ct(const struct nlattr |
| type, OVS_CT_ATTR_MAX); |
| return -EINVAL; |
| } |
| + |
| + maxlen = ovs_ct_attr_lens[type].maxlen; |
| + minlen = ovs_ct_attr_lens[type].minlen; |
| if (nla_len(a) < minlen || nla_len(a) > maxlen) { |
| OVS_NLERR(log, |
| "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)", |