Re: [ovs-dev] [PATCH 1/3] datapath: Avoid OOB read when parsing flow nlattrs
Thanks Ben!! On 2/4/2019 1:49 PM, Ben Pfaff wrote: I applied this series to master and backported as far as branch-2.6. (It did not apply cleanly to branch-2.5.) ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 1/3] datapath: Avoid OOB read when parsing flow nlattrs
I applied this series to master and backported as far as branch-2.6. (It did not apply cleanly to branch-2.5.) ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 1/3] datapath: Avoid OOB read when parsing flow nlattrs
On Thu, Jan 31, 2019 at 1:17 PM Greg Rose wrote: > > From: Ross Lagerwall > > Upstream commit: > commit 04a4af334b971814eedf4e4a413343ad3287d9a9 > Author: Ross Lagerwall > Date: Mon Jan 14 09:16:56 2019 + > > openvswitch: Avoid OOB read when parsing flow nlattrs > > For nested and variable attributes, the expected length of an attribute > is not known and marked by a negative number. This results in an OOB > read when the expected length is later used to check if the attribute is > all zeros. Fix this by using the actual length of the attribute rather > than the expected length. > > Signed-off-by: Ross Lagerwall > Acked-by: Pravin B Shelar > Signed-off-by: David S. Miller > > Cc: Ross Lagerwall > Signed-off-by: Greg Rose > --- Thanks for the backport. I am good with the whole series. Acked-by: Yi-Hung Wei ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH 1/3] datapath: Avoid OOB read when parsing flow nlattrs
From: Ross Lagerwall Upstream commit: commit 04a4af334b971814eedf4e4a413343ad3287d9a9 Author: Ross Lagerwall Date: Mon Jan 14 09:16:56 2019 + openvswitch: Avoid OOB read when parsing flow nlattrs For nested and variable attributes, the expected length of an attribute is not known and marked by a negative number. This results in an OOB read when the expected length is later used to check if the attribute is all zeros. Fix this by using the actual length of the attribute rather than the expected length. Signed-off-by: Ross Lagerwall Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Cc: Ross Lagerwall Signed-off-by: Greg Rose --- datapath/flow_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c index 07a6026..e5e469a 100644 --- a/datapath/flow_netlink.c +++ b/datapath/flow_netlink.c @@ -502,7 +502,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr, return -EINVAL; } - if (!nz || !is_all_zero(nla_data(nla), expected_len)) { + if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { attrs |= 1ULL << type; a[type] = nla; } -- 1.8.3.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev