datapath: flow: fix potential illegal memory access in __parse_flow_nlattrs

In function __parse_flow_nlattrs(), we check for condition (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do not return from this function as in other checks. It seems this has been forgotten, as otherwise, we could access beyond the memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. Hence, a maliciously prepared nla_type from user space could access beyond this upper limit. Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Andy Zhou <azhou@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com>
author: Daniel Borkmann <dborkman@redhat.com> 2013-09-09 13:27:27 -0700
committer: Jesse Gross <jesse@nicira.com> 2013-09-09 13:32:28 -0700
commit: 3a166d4a851313dd4799dfba72b05892e6fd3381 (patch)
tree: 716d94469df9c5ed372e0238559a8da4df0523b4
parent: 70b14a3dc45929adeadfa7172b18d44fe97573e7 (diff)
download: openvswitch-3a166d4a851313dd4799dfba72b05892e6fd3381.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/datapath/flow.c b/datapath/flow.c
index 06ceafae7..979e5ec9f 100644
--- a/datapath/flow.c
+++ b/datapath/flow.c
@@ -1131,6 +1131,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 		if (type > OVS_KEY_ATTR_MAX) {
 			OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
 				  type, OVS_KEY_ATTR_MAX);
+			return -EINVAL;
 		}
 
 		if (attrs & (1ULL << type)) {
author	Daniel Borkmann <dborkman@redhat.com>	2013-09-09 13:27:27 -0700
committer	Jesse Gross <jesse@nicira.com>	2013-09-09 13:32:28 -0700
commit	3a166d4a851313dd4799dfba72b05892e6fd3381 (patch)
tree	716d94469df9c5ed372e0238559a8da4df0523b4
parent	70b14a3dc45929adeadfa7172b18d44fe97573e7 (diff)
download	openvswitch-3a166d4a851313dd4799dfba72b05892e6fd3381.tar.gz