[ovs-dev] [PATCH V4] datapath-windows: Handle possible NULL pointer dereference in STT

Paul Boca pboca at cloudbasesolutions.com
Thu Jun 23 09:14:56 UTC 2016 

Ignore this one. Forgot to add Acked-by.

> -----Original Message-----
> From: dev [mailto:dev-bounces at openvswitch.org] On Behalf Of Paul Boca
> Sent: Thursday, June 23, 2016 12:05 PM
> To: dev at openvswitch.org
> Subject: [ovs-dev] [PATCH V4] datapath-windows: Handle possible NULL
> pointer dereference in STT
> 
> Check if OvsAllocatememoryWithTag succeeded or not.
> In case of failure propagate cleanup and return.
> ---
> V2: Checked also NdisGetDataBuffer and MmGetSystemAddressForMdlSafe
>       if they return NULL and handle the error
> V3: Don't deallocate and remove failed packets on STT reassembly.
>       They will be retransmited by sender or removed by the cleanup thread.
> V4: Removed comment that doesn't apply anymore.
> 
> Signed-off-by: Paul-Daniel Boca <pboca at cloudbasesolutions.com>
> ---
>  datapath-windows/ovsext/Stt.c | 52
> +++++++++++++++++++++++++++++++++++--------
>  1 file changed, 43 insertions(+), 9 deletions(-)
> 
> diff --git a/datapath-windows/ovsext/Stt.c b/datapath-windows/ovsext/Stt.c
> index 0bac5f2..93bc503 100644
> --- a/datapath-windows/ovsext/Stt.c
> +++ b/datapath-windows/ovsext/Stt.c
> @@ -191,6 +191,10 @@ OvsDoEncapStt(POVS_VPORT_ENTRY vport,
> 
>      bufferStart = (PUINT8)MmGetSystemAddressForMdlSafe(curMdl,
>                                                         LowPagePriority);
> +    if (bufferStart == NULL) {
> +        status = NDIS_STATUS_RESOURCES;
> +        goto ret_error;
> +    }
>      bufferStart += NET_BUFFER_CURRENT_MDL_OFFSET(curNb);
> 
>      if (layers->isIPv4) {
> @@ -402,6 +406,9 @@ OvsValidateTCPChecksum(PNET_BUFFER_LIST
> curNbl, PNET_BUFFER curNb)
> 
>      EthHdr *eth = (EthHdr *)NdisGetDataBuffer(curNb, sizeof(EthHdr),
>                                                NULL, 1, 0);
> +    if (eth == NULL) {
> +        return NDIS_STATUS_RESOURCES;
> +    }
> 
>      if (eth->Type == ntohs(NDIS_ETH_TYPE_IPV4)) {
>          IPHdr *ip = (IPHdr *)((PCHAR)eth + sizeof *eth);
> @@ -641,6 +648,9 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT
> switchContext,
>          POVS_STT_PKT_ENTRY entry;
>          entry = OvsAllocateMemoryWithTag(sizeof(OVS_STT_PKT_ENTRY),
>                                           OVS_STT_POOL_TAG);
> +        if (entry == NULL) {
> +            goto handle_error;
> +        }
>          RtlZeroMemory(entry, sizeof (OVS_STT_PKT_ENTRY));
> 
>          /* Update Key, timestamp and recvdLen */
> @@ -663,6 +673,10 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT
> switchContext,
>          entry->allocatedLen = innerPacketLen;
>          entry->packetBuf = OvsAllocateMemoryWithTag(innerPacketLen,
>                                                      OVS_STT_POOL_TAG);
> +        if (entry->packetBuf == NULL) {
> +            OvsFreeMemoryWithTag(entry, OVS_STT_POOL_TAG);
> +            goto handle_error;
> +        }
>          if (OvsGetPacketBytes(curNbl, fragmentLength, startOffset,
>                                entry->packetBuf + offset) == NULL) {
>              OVS_LOG_ERROR("Error when obtaining bytes from Packet");
> @@ -677,9 +691,6 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT
> switchContext,
>              // don't copy more than it is allocated
>              goto handle_error;
>          }
> -        /* Add to recieved length to identify if this is the last fragment */
> -        pktFragEntry->recvdLen += fragmentLength;
> -        lastPacket = (pktFragEntry->recvdLen == innerPacketLen);
> 
>          if (segOffset == 0) {
>              pktFragEntry->sttHdr = *sttHdr;
> @@ -694,6 +705,10 @@ OvsSttReassemble(POVS_SWITCH_CONTEXT
> switchContext,
>              OVS_LOG_ERROR("Error when obtaining bytes from Packet");
>              goto handle_error;
>          }
> +
> +        /* Add to received length to identify if this is the last fragment */
> +        pktFragEntry->recvdLen += fragmentLength;
> +        lastPacket = (pktFragEntry->recvdLen == innerPacketLen);
>      }
> 
>  handle_error:
> @@ -737,7 +752,7 @@ handle_error:
>  *----------------------------------------------------------------------------
>  */
>  NDIS_STATUS
> -OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl,
> +OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl,
>                      SttHdr *sttHdr,
>                      OVS_PACKET_HDR_INFO *layers)
>  {
> @@ -797,6 +812,9 @@ OvsDecapSetOffloads(PNET_BUFFER_LIST *curNbl,
> 
>          buf = (PUINT8)MmGetSystemAddressForMdlSafe(curMdl,
>              LowPagePriority);
> +        if (buf == NULL) {
> +            return NDIS_STATUS_RESOURCES;
> +        }
>          buf += NET_BUFFER_CURRENT_MDL_OFFSET(curNb);
> 
>          // apply pseudo checksum on extracted packet
> @@ -876,7 +894,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
> 
>      ipHdr = NdisGetDataBuffer(curNb, sizeof *ipHdr, (PVOID) &ipBuf,
>                                                      1 /*no align*/, 0);
> -    ASSERT(ipHdr);
> +    if (ipHdr == NULL) {
> +        return NDIS_STATUS_RESOURCES;
> +    }
> 
>      TCPHdr *tcp = (TCPHdr *)((PCHAR)ipHdr + ipHdr->ihl * 4);
> 
> @@ -906,6 +926,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
>          /* STT Header */
>          sttHdr = NdisGetDataBuffer(curNb, sizeof *sttHdr,
>                                     (PVOID) &sttBuf, 1 /*no align*/, 0);
> +        if (sttHdr == NULL) {
> +            return NDIS_STATUS_RESOURCES;
> +        }
>          /* Skip stt header, DataOffset points to inner pkt now. */
>          hdrLen = STT_HDR_LEN;
>          NdisAdvanceNetBufferDataStart(curNb, hdrLen, FALSE, NULL);
> @@ -922,8 +945,8 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
> 
>      status = NdisRetreatNetBufferDataStart(curNb, advanceCnt, 0, NULL);
>      if (status != NDIS_STATUS_SUCCESS) {
> -        OvsCompleteNBL(switchContext, *newNbl, TRUE);
> -        return NDIS_STATUS_FAILURE;
> +        status = NDIS_STATUS_FAILURE;
> +        goto dropNbl;
>      }
> 
>      ASSERT(sttHdr);
> @@ -942,8 +965,8 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
>      if (0 != ipHdr->tos) {
>          status = OvsExtractLayers(*newNbl, &layers);
>          if (status != NDIS_STATUS_SUCCESS) {
> -            OvsCompleteNBL(switchContext, *newNbl, TRUE);
> -            return NDIS_STATUS_FAILURE;
> +            status = NDIS_STATUS_FAILURE;
> +            goto dropNbl;
>          }
> 
>          if (layers.isIPv4) {
> @@ -966,6 +989,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
>                  /* fix IP checksum */
>                  innerIpHdr->check = IPChecksum((UINT8 *)innerIpHdr,
>                                                  innerIpHdr->ihl * 4, 0);
> +            } else {
> +                status = NDIS_STATUS_RESOURCES;
> +                goto dropNbl;
>              }
>          } else if (layers.isIPv6) {
>              IPv6Hdr ipv6_storage;
> @@ -980,6 +1006,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
>                                      | ((innerIpv6Hdr->flow_lbl[0] & 0x3) << 2);
>                  innerIpv6Hdr->flow_lbl[0] = (innerIpv6Hdr->flow_lbl[0] & 0xF)
>                                               | ((ipHdr->tos & 0xF) << 4);
> +            } else {
> +                status = NDIS_STATUS_RESOURCES;
> +                goto dropNbl;
>              }
>          }
>      }
> @@ -998,4 +1027,9 @@ OvsDecapStt(POVS_SWITCH_CONTEXT
> switchContext,
>      OvsDecapSetOffloads(newNbl, sttHdr, &layers);
> 
>      return NDIS_STATUS_SUCCESS;
> +
> +dropNbl:
> +    OvsCompleteNBL(switchContext, *newNbl, TRUE);
> +    *newNbl = NULL;
> +    return status;
>  }
> --
> 2.7.2.windows.1
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list