Bug 200537
| Summary: | Potential NULL pointer dereference when nla_nest_start() fails in net/openvswitch/datapath.c | ||
|---|---|---|---|
| Product: | Networking | Reporter: | Jason Wood (jasonwood2031) |
| Component: | Other | Assignee: | Stephen Hemminger (stephen) |
| Status: | RESOLVED PATCH_ALREADY_AVAILABLE | ||
| Severity: | normal | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | v4.18-rc4 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
We have sent the patch to the developers. Currently, we're formatting the patch according to the Linux development documentation. |
Function queue_userspace_packet() defined in net/openvswitch/datapath.c may cause two null pointer dereferences as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() twice later where the pointer is dereferenced. Codes related to this bug are shown as follows. net/openvswitch/datapath.c: 460 461 if (upcall_info->egress_tun_info) { 462: nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); 463 err = ovs_nla_put_tunnel_info(user_skb, 464 upcall_info->egress_tun_info); 465 BUG_ON(err); 466 nla_nest_end(user_skb, nla); 467 } 468 469 if (upcall_info->actions_len) { 470: nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); 471 err = ovs_nla_put_actions(upcall_info->actions, 472 upcall_info->actions_len, 473 user_skb); 474 if (!err) 475 nla_nest_end(user_skb, nla); 476 else 477 nla_nest_cancel(user_skb, nla); 478 } --- include/net/netlink.h: 1297: static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) 1298 { 1299 start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; 1300 return skb->len; 1301 } Thanks for attention! JW, ZG IMChecker Group, THU