[ovs-git] Open vSwitch: datapath: flow: fix potential illegal memory access in __parse_flow_nlattrs (branch-2.0)

dev at openvswitch.org dev at openvswitch.org
Mon Sep 9 20:32:45 UTC 2013


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, branch-2.0 has been updated
       via  2758da116d204fe51c20801a2714aef1f78d5922 (commit)
      from  7c16c8cbe6a2b701e66d52b407fee4b7ed2065b2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2758da116d204fe51c20801a2714aef1f78d5922
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=2758da116d204fe51c20801a2714aef1f78d5922
Author: Daniel Borkmann <dborkman at redhat.com>
		
datapath: flow: fix potential illegal memory access in __parse_flow_nlattrs
		
In function __parse_flow_nlattrs(), we check for condition
(type > OVS_KEY_ATTR_MAX) and if true, print an error, but we do
not return from this function as in other checks. It seems this
has been forgotten, as otherwise, we could access beyond the
memory of ovs_key_lens, which is of ovs_key_lens[OVS_KEY_ATTR_MAX + 1].
Hence, a maliciously prepared nla_type from user space could access
beyond this upper limit.

Introduced by 03f0d916a ("openvswitch: Mega flow implementation").

Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
Cc: Andy Zhou <azhou at nicira.com>
Signed-off-by: Jesse Gross <jesse at nicira.com>


-----------------------------------------------------------------------

Summary of changes:
 datapath/flow.c |    1 +
 1 file changed, 1 insertion(+)


hooks/post-receive
-- 
Open vSwitch



More information about the git mailing list