aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLiping Zhang <zlpnobody@gmail.com>2017-07-23 17:52:23 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-08-11 08:33:57 -0700
commit9bb104937bba459bba907663e7a644f987b849d3 (patch)
tree71dd6e9f96b6a8853c97a6b6ca5eae798e575fb8 /net
parent98a729f5902205ec83d3b0911acb60385dbc84c8 (diff)
downloadlinux-yocto-4.12-9bb104937bba459bba907663e7a644f987b849d3.tar.gz
linux-yocto-4.12-9bb104937bba459bba907663e7a644f987b849d3.tar.bz2
linux-yocto-4.12-9bb104937bba459bba907663e7a644f987b849d3.zip
openvswitch: fix potential out of bound access in parse_ct
[ Upstream commit 69ec932e364b1ba9c3a2085fe96b76c8a3f71e7c ] Before the 'type' is validated, we shouldn't use it to fetch the ovs_ct_attr_lens's minlen and maxlen, else, out of bound access may happen. Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/openvswitch/conntrack.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 08679ebb3068..b3bf66bbf4dc 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1289,8 +1289,8 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
nla_for_each_nested(a, attr, rem) {
int type = nla_type(a);
- int maxlen = ovs_ct_attr_lens[type].maxlen;
- int minlen = ovs_ct_attr_lens[type].minlen;
+ int maxlen;
+ int minlen;
if (type > OVS_CT_ATTR_MAX) {
OVS_NLERR(log,
@@ -1298,6 +1298,9 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
type, OVS_CT_ATTR_MAX);
return -EINVAL;
}
+
+ maxlen = ovs_ct_attr_lens[type].maxlen;
+ minlen = ovs_ct_attr_lens[type].minlen;
if (nla_len(a) < minlen || nla_len(a) > maxlen) {
OVS_NLERR(log,
"Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",