Function queue_userspace_packet() defined in net/openvswitch/datapath.c may cause two null pointer dereferences as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() twice later where the pointer is dereferenced. Codes related to this bug are shown as follows. net/openvswitch/datapath.c: 460 461 if (upcall_info->egress_tun_info) { 462: nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); 463 err = ovs_nla_put_tunnel_info(user_skb, 464 upcall_info->egress_tun_info); 465 BUG_ON(err); 466 nla_nest_end(user_skb, nla); 467 } 468 469 if (upcall_info->actions_len) { 470: nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); 471 err = ovs_nla_put_actions(upcall_info->actions, 472 upcall_info->actions_len, 473 user_skb); 474 if (!err) 475 nla_nest_end(user_skb, nla); 476 else 477 nla_nest_cancel(user_skb, nla); 478 } --- include/net/netlink.h: 1297: static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) 1298 { 1299 start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; 1300 return skb->len; 1301 } Thanks for attention! JW, ZG IMChecker Group, THU
We have sent the patch to the developers. Currently, we're formatting the patch according to the Linux development documentation.