Re: [ovs-dev] [PATCH] datapath-windows: Handle possible NULL pointer dereference in STT

Alin Serdean Tue, 14 Jun 2016 09:07:26 -0700

I looked briefly over stt.c and there is a list of issues to be fixed if you 
want to make part of this patch:


NdisGetDataBuffer can be null and should be checked 
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff562631(v=vs.85).aspx
 )
" The return value can also be NULL due to a low resource condition where a 
data buffer cannot be mapped. This may occur even if the data is contiguous or 
the Storage parameter is non-NULL."
        
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L403
        
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L877
        
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L907

https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L972-L983
 needs an else branch
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L957-L969
 needs an else branch

MmGetSystemAddressForMdlSafe 
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff554559(v=vs.85).aspx)
 should be checked:
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L192
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L798

https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L666-L670
in the case it fails entry->packetBuf, entry should be freed

I think if 
https://github.com/openvswitch/ovs/blob/master/datapath-windows/ovsext/Stt.c#L691-L696
fails 
we should free pktFragEntry->packetBuf and pktFragEntry.

Also comment inlined.

Thanks,
Alin.

> -----Mesaj original-----
> De la: dev [mailto:[email protected]] În numele Paul Boca
> Trimis: Tuesday, June 14, 2016 2:27 PM
> Către: [email protected]
> Subiect: [ovs-dev] [PATCH] datapath-windows: Handle possible NULL pointer
> dereference in STT
> 
> Check if OvsAllocatememoryWithTag succeeded or not.
> In case of failure propagate cleanup and return.
> 
> Signed-off-by: Paul-Daniel Boca <[email protected]>
> ---
>  datapath-windows/ovsext/Stt.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/datapath-windows/ovsext/Stt.c b/datapath-
> windows/ovsext/Stt.c index 0bac5f2..e63211d 100644
> --- a/datapath-windows/ovsext/Stt.c
> +++ b/datapath-windows/ovsext/Stt.c
> @@ -641,6 +641,9 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT
> switchContext,
>          POVS_STT_PKT_ENTRY entry;
>          entry = OvsAllocateMemoryWithTag(sizeof(OVS_STT_PKT_ENTRY),
>                                           OVS_STT_POOL_TAG);
> +        if (NULL == entry) {
> +            goto handle_error;
> +        }
>          RtlZeroMemory(entry, sizeof (OVS_STT_PKT_ENTRY));
> 
>          /* Update Key, timestamp and recvdLen */ @@ -663,6 +666,10 @@
> OvsSttReassemble(POVS_SWITCH_CONTEXT switchContext,
>          entry->allocatedLen = innerPacketLen;
>          entry->packetBuf = OvsAllocateMemoryWithTag(innerPacketLen,
>                                                      OVS_STT_POOL_TAG);
> +        if (NULL == entry->packetBuf) {
> +            OvsFreeMemoryWithTag(pktFragEntry, OVS_STT_POOL_TAG);
[Alin Gabriel Serdean: ] s/pktFragEntry/entry
> +            goto handle_error;
> +        }
>          if (OvsGetPacketBytes(curNbl, fragmentLength, startOffset,
>                                entry->packetBuf + offset) == NULL) {
>              OVS_LOG_ERROR("Error when obtaining bytes from Packet");
> --
> 2.7.2.windows.1
> _______________________________________________
> dev mailing list
> [email protected]
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev

Re: [ovs-dev] [PATCH] datapath-windows: Handle possible NULL pointer dereference in STT

Reply via email to