diff options
author | Ilya Maximets <i.maximets@ovn.org> | 2021-04-04 19:31:46 +0200 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2021-05-24 20:21:56 +0200 |
commit | 13c0eaa7b4fc2694a8c6cc8e6487ec6538c607e4 (patch) | |
tree | c11843f57e1958edd49edb581c80257f413b9e3b /lib/dpif-netlink.c | |
parent | 328d20e0f8d0cfc8c80079784bff07219f687bf0 (diff) | |
download | openvswitch-13c0eaa7b4fc2694a8c6cc8e6487ec6538c607e4.tar.gz |
dpif-netlink: Fix send of uninitialized memory in ct limit requests.
ct limit requests never initializes the whole 'struct ovs_zone_limit'
sending uninitialized stack memory to kernel:
Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
at 0x5E23867: sendmsg (in /usr/lib64/libpthread-2.28.so)
by 0x54F761: nl_sock_transact_multiple__ (netlink-socket.c:858)
by 0x54FB6E: nl_sock_transact_multiple.part.9 (netlink-socket.c:1079)
by 0x54FCC0: nl_sock_transact_multiple (netlink-socket.c:1044)
by 0x54FCC0: nl_sock_transact (netlink-socket.c:1108)
by 0x550B6F: nl_transact (netlink-socket.c:1804)
by 0x53BEA2: dpif_netlink_ct_get_limits (dpif-netlink.c:3052)
by 0x588B57: dpctl_ct_get_limits (dpctl.c:2178)
by 0x586FF2: dpctl_unixctl_handler (dpctl.c:2870)
by 0x52C241: process_command (unixctl.c:310)
by 0x52C241: run_connection (unixctl.c:344)
by 0x52C241: unixctl_server_run (unixctl.c:395)
by 0x407526: main (ovs-vswitchd.c:128)
Address 0x10b87480 is 32 bytes inside a block of size 4,096 alloc'd
at 0x4C30F0B: malloc (vg_replace_malloc.c:307)
by 0x52CDE4: xmalloc (util.c:138)
by 0x4F7E07: ofpbuf_init (ofpbuf.c:123)
by 0x4F7E07: ofpbuf_new (ofpbuf.c:151)
by 0x53BDE3: dpif_netlink_ct_get_limits (dpif-netlink.c:3025)
by 0x588B57: dpctl_ct_get_limits (dpctl.c:2178)
by 0x586FF2: dpctl_unixctl_handler (dpctl.c:2870)
by 0x52C241: process_command (unixctl.c:310)
by 0x52C241: run_connection (unixctl.c:344)
by 0x52C241: unixctl_server_run (unixctl.c:395)
by 0x407526: main (ovs-vswitchd.c:128)
Uninitialised value was created by a stack allocation
at 0x46AAA0: ct_dpif_get_limits (ct-dpif.c:197)
Fix that by using designated initializers that will clear all the
non-specified fields.
Fixes: 906ff9d229ee ("dpif-netlink: Implement conntrack zone limit")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Mark D. Gray <mark.d.gray@redhat.com>
Diffstat (limited to 'lib/dpif-netlink.c')
-rw-r--r-- | lib/dpif-netlink.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c index 50520f8c0..73d5608a8 100644 --- a/lib/dpif-netlink.c +++ b/lib/dpif-netlink.c @@ -2923,8 +2923,6 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED, const uint32_t *default_limits, const struct ovs_list *zone_limits) { - struct ovs_zone_limit req_zone_limit; - if (ovs_ct_limit_family < 0) { return EOPNOTSUPP; } @@ -2941,8 +2939,10 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED, size_t opt_offset; opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); if (default_limits) { - req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE; - req_zone_limit.limit = *default_limits; + struct ovs_zone_limit req_zone_limit = { + .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE, + .limit = *default_limits, + }; nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit); } @@ -2950,8 +2950,10 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED, struct ct_dpif_zone_limit *zone_limit; LIST_FOR_EACH (zone_limit, node, zone_limits) { - req_zone_limit.zone_id = zone_limit->zone; - req_zone_limit.limit = zone_limit->limit; + struct ovs_zone_limit req_zone_limit = { + .zone_id = zone_limit->zone, + .limit = zone_limit->limit, + }; nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit); } } @@ -3035,8 +3037,9 @@ dpif_netlink_ct_get_limits(struct dpif *dpif OVS_UNUSED, size_t opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT); - struct ovs_zone_limit req_zone_limit; - req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE; + struct ovs_zone_limit req_zone_limit = { + .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE, + }; nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit); struct ct_dpif_zone_limit *zone_limit; @@ -3086,8 +3089,9 @@ dpif_netlink_ct_del_limits(struct dpif *dpif OVS_UNUSED, struct ct_dpif_zone_limit *zone_limit; LIST_FOR_EACH (zone_limit, node, zone_limits) { - struct ovs_zone_limit req_zone_limit; - req_zone_limit.zone_id = zone_limit->zone; + struct ovs_zone_limit req_zone_limit = { + .zone_id = zone_limit->zone, + }; nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit); } nl_msg_end_nested(request, opt_offset); |