From patchwork Fri Dec 18 00:28:09 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jesse Gross X-Patchwork-Id: 558695 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 508B11402BB for ; Fri, 18 Dec 2015 11:28:55 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id DD0E3109E6; Thu, 17 Dec 2015 16:28:53 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 4A566109DB for ; Thu, 17 Dec 2015 16:28:52 -0800 (PST) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id 785C41E00C3 for ; Thu, 17 Dec 2015 17:28:51 -0700 (MST) X-ASG-Debug-ID: 1450398531-09eadd35e5ef1d0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id 50Hx4LcZlOMDNh9i (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 17 Dec 2015 17:28:51 -0700 (MST) X-Barracuda-Envelope-From: jesse@kernel.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail.kernel.org) (198.145.29.136) by mx1-pf1.cudamail.com with SMTP; 18 Dec 2015 00:28:50 -0000 Received-SPF: none (mx1-pf1.cudamail.com: domain at kernel.org does not designate permitted sender hosts) X-Barracuda-Apparent-Source-IP: 198.145.29.136 X-Barracuda-RBL-IP: 198.145.29.136 Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id CBC7A2043C; Fri, 18 Dec 2015 00:28:49 +0000 (UTC) Received: from localhost.localdomain (c-73-218-130-53.hsd1.nh.comcast.net [73.218.130.53]) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9AA520437; Fri, 18 Dec 2015 00:28:48 +0000 (UTC) X-CudaMail-Envelope-Sender: jesse@kernel.org From: Jesse Gross To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-1216098712 X-CudaMail-DTE: 121715 X-CudaMail-Originating-IP: 198.145.29.136 Date: Thu, 17 Dec 2015 16:28:09 -0800 X-ASG-Orig-Subj: [##CM-E1-1216098712##][PATCH] dpif-netdev: Avoid using uninitialized memory with tunnel options. Message-Id: <1450398489-72305-1-git-send-email-jesse@kernel.org> X-Mailer: git-send-email 2.5.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1450398531 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH] dpif-netdev: Avoid using uninitialized memory with tunnel options. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" When handling an upcall with the userspace datapath, it's currently possible for a flow from a packet with no tunnel options to come back with matches on the options. If that happens, dpif-netdev will attempt to translate the wildcards provided by ofproto into the format used by dpif. The translation requires use of the original wildcards from the flow, which since they didn't exist, is uninitalized memory. Matching on fields which don't actually exist is itself a bug. However, this can occur when we attempt to set a tunnel option on the packet - ofproto generates a match on the field in the original packet. This is being fixed separately. In other situations where we have a match on an unexpected field, we simply ignore it. This happens with tunnel options with the kernel datapath, non-tunnel fields that don't exist in the packet, and even with Geneve where we do have some options but not the particular one that was matched on. This brings the same behavior for this case and avoids the possibility of accessing uninitialized memory. Reported-by: Daniele Di Proietto Signed-off-by: Jesse Gross Acked-by: Daniele Di Proietto --- lib/dpif-netdev.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c index 12cbef8..bda2685 100644 --- a/lib/dpif-netdev.c +++ b/lib/dpif-netdev.c @@ -3069,11 +3069,15 @@ dp_netdev_upcall(struct dp_netdev_pmd_thread *pmd, struct dp_packet *packet_, struct geneve_opt opts[TLV_TOT_OPT_SIZE / sizeof(struct geneve_opt)]; - tun_metadata_to_geneve_udpif_mask(&flow->tunnel, - &wc->masks.tunnel, - orig_tunnel.metadata.opts.gnv, - orig_tunnel.metadata.present.len, - opts); + if (orig_tunnel.flags & FLOW_TNL_F_UDPIF) { + tun_metadata_to_geneve_udpif_mask(&flow->tunnel, + &wc->masks.tunnel, + orig_tunnel.metadata.opts.gnv, + orig_tunnel.metadata.present.len, + opts); + } else { + orig_tunnel.metadata.present.len = 0; + } memset(&wc->masks.tunnel.metadata, 0, sizeof wc->masks.tunnel.metadata);