net: ovs: flow: fix potential illegal memory access in __parse_flow_nlattrs

In function __parse_flow_nlattrs(), we check for condition (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do not return from this function as in other checks. It seems this has been forgotten, as otherwise, we could access beyond the memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. Hence, a maliciously prepared nla_type from user space could access beyond this upper limit. Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Andy Zhou <azhou@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <dborkman@redhat.com> 2013-09-07 07:41:34 (GMT)
committer: David S. Miller <davem@davemloft.net> 2013-09-11 20:09:58 (GMT)
commit: 3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9 (patch)
tree: afafcea11e352e1a6c17c46d6d0981ee5345e92c /net/openvswitch
parent: df9f1b9f3308125fb7c9b484852b5d6a18b2bc02 (diff)
download: linux-3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index fb36f85..410db90 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -1178,6 +1178,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 		if (type > OVS_KEY_ATTR_MAX) {
 			OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
 				  type, OVS_KEY_ATTR_MAX);
+			return -EINVAL;
 		}
 
 		if (attrs & (1 << type)) {
author	Daniel Borkmann <dborkman@redhat.com>	2013-09-07 07:41:34 (GMT)
committer	David S. Miller <davem@davemloft.net>	2013-09-11 20:09:58 (GMT)
commit	3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9 (patch)
tree	afafcea11e352e1a6c17c46d6d0981ee5345e92c /net/openvswitch
parent	df9f1b9f3308125fb7c9b484852b5d6a18b2bc02 (diff)
download	linux-3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9.tar.xz