Bug 200537 - Potential NULL pointer dereference when nla_nest_start() fails in net/openvswitch/datapath.c
Summary: Potential NULL pointer dereference when nla_nest_start() fails in net/openvsw...
Status: RESOLVED PATCH_ALREADY_AVAILABLE
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-18 07:48 UTC by Jason Wood
Modified: 2018-09-13 10:41 UTC (History)
0 users

See Also:
Kernel Version: v4.18-rc4
Tree: Mainline
Regression: No


Attachments

Description Jason Wood 2018-07-18 07:48:24 UTC
Function queue_userspace_packet() defined in net/openvswitch/datapath.c may cause two null pointer dereferences as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() twice later where the pointer is dereferenced. Codes related to this bug are shown as follows.

net/openvswitch/datapath.c:
  460  
  461  	if (upcall_info->egress_tun_info) {
  462: 		nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY);
  463  		err = ovs_nla_put_tunnel_info(user_skb,
  464  					      upcall_info->egress_tun_info);
  465		BUG_ON(err);
  466		nla_nest_end(user_skb, nla);
  467	}
  468  
  469  	if (upcall_info->actions_len) {
  470: 		nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS);
  471  		err = ovs_nla_put_actions(upcall_info->actions,
  472  					  upcall_info->actions_len,
  473					  user_skb);
  474		if (!err)
  475			nla_nest_end(user_skb, nla);
  476		else
  477			nla_nest_cancel(user_skb, nla);
  478	}

---
include/net/netlink.h:
 1297: static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
 1298  {
 1299  	start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start;
 1300	return skb->len;
 1301  }


Thanks for attention!
JW, ZG
IMChecker Group, THU
Comment 1 Jason Wood 2018-09-13 10:41:31 UTC
We have sent the patch to the developers. Currently, we're formatting the patch according to the Linux development documentation.

Note You need to log in before you can comment on or make changes to this bug.