If "hlen" less than "cutlen" then when we call upcall_msg_size()
the "hlen - cutlen" parameter will be a very high positive
number.
Later in the function we use "skb->len - cutlen" but this change
addresses that potential underflow since skb->len is always going to
be greater than or equal to hlen.
Fixes: f2a4d086ed4c ("openvswitch: Add packet truncation support.")
Signed-off-by: Dan Carpenter <dan.carpen...@linaro.org>
---
>From code review not testing.
net/openvswitch/datapath.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 225f6048867f..bb25a2bbe8a0 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -477,6 +477,11 @@ static int queue_userspace_packet(struct datapath *dp,
struct sk_buff *skb,
else
hlen = skb->len;
+ if (hlen < cutlen) {
+ err = -EINVAL;
+ goto out;
+ }
+
len = upcall_msg_size(upcall_info, hlen - cutlen,
OVS_CB(skb)->acts_origlen);
user_skb = genlmsg_new(len, GFP_ATOMIC);
--
2.45.2
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
