summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2013-09-07 09:41:34 +0200
committerDavid S. Miller <davem@davemloft.net>2013-09-11 16:09:58 -0400
commit3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9 (patch)
treeafafcea11e352e1a6c17c46d6d0981ee5345e92c /net
parentdf9f1b9f3308125fb7c9b484852b5d6a18b2bc02 (diff)
downloadlinux-stable-3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9.tar.gz
linux-stable-3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9.tar.bz2
linux-stable-3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9.zip
net: ovs: flow: fix potential illegal memory access in __parse_flow_nlattrs
In function __parse_flow_nlattrs(), we check for condition (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do not return from this function as in other checks. It seems this has been forgotten, as otherwise, we could access beyond the memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. Hence, a maliciously prepared nla_type from user space could access beyond this upper limit. Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Andy Zhou <azhou@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/openvswitch/flow.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index fb36f8565161..410db90db73d 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -1178,6 +1178,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
if (type > OVS_KEY_ATTR_MAX) {
OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
type, OVS_KEY_ATTR_MAX);
+ return -EINVAL;
}
if (attrs & (1 << type)) {