| From foo@baz Sat Jan 26 10:22:50 CET 2019 |
| From: Ross Lagerwall <ross.lagerwall@citrix.com> |
| Date: Mon, 14 Jan 2019 09:16:56 +0000 |
| Subject: openvswitch: Avoid OOB read when parsing flow nlattrs |
| |
| From: Ross Lagerwall <ross.lagerwall@citrix.com> |
| |
| [ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ] |
| |
| For nested and variable attributes, the expected length of an attribute |
| is not known and marked by a negative number. This results in an OOB |
| read when the expected length is later used to check if the attribute is |
| all zeros. Fix this by using the actual length of the attribute rather |
| than the expected length. |
| |
| Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> |
| Acked-by: Pravin B Shelar <pshelar@ovn.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/openvswitch/flow_netlink.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/openvswitch/flow_netlink.c |
| +++ b/net/openvswitch/flow_netlink.c |
| @@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const st |
| return -EINVAL; |
| } |
| |
| - if (!nz || !is_all_zero(nla_data(nla), expected_len)) { |
| + if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { |
| attrs |= 1 << type; |
| a[type] = nla; |
| } |