mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-26 21:54:11 +08:00
net: ovs: flow: fix potential illegal memory access in __parse_flow_nlattrs
In function __parse_flow_nlattrs(), we check for condition
(type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do
not return from this function as in other checks. It seems this
has been forgotten, as otherwise, we could access beyond the
memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1].
Hence, a maliciously prepared nla_type from user space could access
beyond this upper limit.
Introduced by 03f0d916a
("openvswitch: Mega flow implementation").
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Andy Zhou <azhou@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
df9f1b9f33
commit
3bf4b5b11d
@ -1178,6 +1178,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
|
||||
if (type > OVS_KEY_ATTR_MAX) {
|
||||
OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
|
||||
type, OVS_KEY_ATTR_MAX);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (attrs & (1 << type)) {
|
||||
|
Loading…
Reference in New Issue
Block a user