From 3a166d4a851313dd4799dfba72b05892e6fd3381 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dborkman@redhat.com>
Date: Mon, 9 Sep 2013 13:27:27 -0700
Subject: datapath: flow: fix potential illegal memory access in
 __parse_flow_nlattrs

In function __parse_flow_nlattrs(), we check for condition
(type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do
not return from this function as in other checks. It seems this
has been forgotten, as otherwise, we could access beyond the
memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1].
Hence, a maliciously prepared nla_type from user space could access
beyond this upper limit.

Introduced by 03f0d916a ("openvswitch: Mega flow implementation").

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Andy Zhou <azhou@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
---
 datapath/flow.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/datapath/flow.c b/datapath/flow.c
index 06ceafae7..979e5ec9f 100644
--- a/datapath/flow.c
+++ b/datapath/flow.c
@@ -1131,6 +1131,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 		if (type > OVS_KEY_ATTR_MAX) {
 			OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
 				  type, OVS_KEY_ATTR_MAX);
+			return -EINVAL;
 		}
 
 		if (attrs & (1ULL << type)) {
-- 
cgit v1.2.1