From patchwork Mon Jan 14 09:16:56 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com>
X-Patchwork-Id: 1024335
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=citrix.com
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 43dSXz6X1Cz9sBZ
	for <patchwork-incoming-netdev@ozlabs.org>;
	Mon, 14 Jan 2019 20:17:23 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726469AbfANJRW (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 14 Jan 2019 04:17:22 -0500
Received: from smtp03.citrix.com ([162.221.156.55]:60383 "EHLO
	SMTP03.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726187AbfANJRW (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 14 Jan 2019 04:17:22 -0500
X-IronPort-AV: E=Sophos;i="5.56,477,1539648000"; d="scan'208";a="75490255"
From: Ross Lagerwall <ross.lagerwall@citrix.com>
To: <netdev@vger.kernel.org>
CC: Pravin B Shelar <pshelar@ovn.org>,
	"David S. Miller" <davem@davemloft.net>, <dev@openvswitch.org>,
	Ross Lagerwall <ross.lagerwall@citrix.com>
Subject: [PATCH] openvswitch: Avoid OOB read when parsing flow nlattrs
Date: Mon, 14 Jan 2019 09:16:56 +0000
Message-ID: <20190114091656.28594-1-ross.lagerwall@citrix.com>
X-Mailer: git-send-email 2.17.2
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

For nested and variable attributes, the expected length of an attribute
is not known and marked by a negative number.  This results in an OOB
read when the expected length is later used to check if the attribute is
all zeros. Fix this by using the actual length of the attribute rather
than the expected length.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
---
 net/openvswitch/flow_netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 435a4bdf8f89..691da853bef5 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 			return -EINVAL;
 		}
 
-		if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
+		if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
 			attrs |= 1 << type;
 			a[type] = nla;
 		}