odp-util: Fix netlink message overflow with userdata.

Too big userdata could overflow netlink message leading to out-of-bound memory accesses or assertion while formatting nested actions. Fix that by checking the size and returning correct error code. Credit to OSS-Fuzz. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27640 Fixes: e995e3df57ea ("Allow OVS_USERSPACE_ATTR_USERDATA to be variable length.") Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Flavio Leitner <fbl@sysclose.org>
author: Ilya Maximets <i.maximets@ovn.org> 2020-12-21 16:01:04 +0100
committer: Ilya Maximets <i.maximets@ovn.org> 2020-12-22 00:25:04 +0100
commit: 55f2b065acd477a6810d5279fcace8b42bd594f5 (patch)
tree: c92b521e44f818d453ae74e29c180f7f4567f888 /ofproto
parent: c5b4b0ce95a31f1a2fadc8eecd8027434357b9eb (diff)
download: openvswitch-55f2b065acd477a6810d5279fcace8b42bd594f5.tar.gz
2 files changed, 7 insertions, 8 deletions
diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index d79f48aa7..5fae46adf 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -1084,7 +1084,7 @@ compose_slow_path(struct udpif *udpif, struct xlate_out *xout,
     }
 
     odp_put_userspace_action(pid, &cookie, sizeof cookie,
-                             ODPP_NONE, false, buf);
+                             ODPP_NONE, false, buf, NULL);
 
     if (meter_id != UINT32_MAX) {
         nl_msg_end_nested(buf, ac_offset);
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 4ea776052..2715a142b 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -3223,12 +3223,11 @@ compose_sample_action(struct xlate_ctx *ctx,
     odp_port_t odp_port = ofp_port_to_odp_port(
         ctx->xbridge, ctx->xin->flow.in_port.ofp_port);
     uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port);
-    size_t cookie_offset = odp_put_userspace_action(pid, cookie,
-                                                    sizeof *cookie,
-                                                    tunnel_out_port,
-                                                    include_actions,
-                                                    ctx->odp_actions);
-
+    size_t cookie_offset;
+    int res = odp_put_userspace_action(pid, cookie, sizeof *cookie,
+                                       tunnel_out_port, include_actions,
+                                       ctx->odp_actions, &cookie_offset);
+    ovs_assert(res == 0);
     if (is_sample) {
         nl_msg_end_nested(ctx->odp_actions, actions_offset);
         nl_msg_end_nested(ctx->odp_actions, sample_offset);
@@ -4832,7 +4831,7 @@ put_controller_user_action(struct xlate_ctx *ctx,
                                              ctx->xin->flow.in_port.ofp_port);
     uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port);
     odp_put_userspace_action(pid, &cookie, sizeof cookie, ODPP_NONE,
-                             false, ctx->odp_actions);
+                             false, ctx->odp_actions, NULL);
 }
 
 static void
author	Ilya Maximets <i.maximets@ovn.org>	2020-12-21 16:01:04 +0100
committer	Ilya Maximets <i.maximets@ovn.org>	2020-12-22 00:25:04 +0100
commit	55f2b065acd477a6810d5279fcace8b42bd594f5 (patch)
tree	c92b521e44f818d453ae74e29c180f7f4567f888 /ofproto
parent	c5b4b0ce95a31f1a2fadc8eecd8027434357b9eb (diff)
download	openvswitch-55f2b065acd477a6810d5279fcace8b42bd594f5.tar.gz