net: ovs: flow: fix potential illegal memory access in __parse_flow_nlattrs

In function __parse_flow_nlattrs(), we check for condition (type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do not return from this function as in other checks. It seems this has been forgotten, as otherwise, we could access beyond the memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1]. Hence, a maliciously prepared nla_type from user space could access beyond this upper limit. Introduced by 03f0d916a ("openvswitch: Mega flow implementation"). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Andy Zhou <azhou@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <dborkman@redhat.com> 2013-09-07 09:41:34 +0200
committer: David S. Miller <davem@davemloft.net> 2013-09-11 16:09:58 -0400
commit: 3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9 (patch)
tree: afafcea11e352e1a6c17c46d6d0981ee5345e92c /net
parent: df9f1b9f3308125fb7c9b484852b5d6a18b2bc02 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index fb36f8565161..410db90db73d 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -1178,6 +1178,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 		if (type > OVS_KEY_ATTR_MAX) {
 			OVS_NLERR("Unknown key attribute (type=%d, max=%d).\n",
 				  type, OVS_KEY_ATTR_MAX);
+			return -EINVAL;
 		}
 
 		if (attrs & (1 << type)) {
author	Daniel Borkmann <dborkman@redhat.com>	2013-09-07 09:41:34 +0200
committer	David S. Miller <davem@davemloft.net>	2013-09-11 16:09:58 -0400
commit	3bf4b5b11d381fed6a94a7e487e01c8b3bc436b9 (patch)
tree	afafcea11e352e1a6c17c46d6d0981ee5345e92c /net
parent	df9f1b9f3308125fb7c9b484852b5d6a18b2bc02 (diff)