[PATCH net] openvswitch: Fix IPv6 exthdr handling with ct helpers.

[PATCH net] openvswitch: Fix IPv6 exthdr handling with ct helpers.

[Joe Stringer]

Static code analysis reveals the following bug:

        net/openvswitch/conntrack.c:281 ovs_ct_helper()
        warn: unsigned 'protoff' is never less than zero.

This signedness bug breaks error handling for IPv6 extension headers when
using conntrack helpers. Fix the error by using a local signed variable.

Fixes:  cae3a2627520: "openvswitch: Allow attaching helpers to ct
action"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
---
 net/openvswitch/conntrack.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index e8e524a..002a755 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -275,13 +275,15 @@ static int ovs_ct_helper(struct sk_buff *skb, u16 proto)
 	case NFPROTO_IPV6: {
 		u8 nexthdr = ipv6_hdr(skb)->nexthdr;
 		__be16 frag_off;
+		int ofs;
 
-		protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
-					   &nexthdr, &frag_off);
-		if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
+		ofs = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
+				       &frag_off);
+		if (ofs < 0 || (frag_off & htons(~0x7)) != 0) {
 			pr_debug("proto header not found\n");
 			return NF_ACCEPT;
 		}
+		protoff = ofs;
 		break;
 	}
 	default:
-- 
2.1.4

Re: [PATCH net] openvswitch: Fix IPv6 exthdr handling with ct helpers.

[Pravin Shelar]

On Mon, Sep 14, 2015 at 11:14 AM, Joe Stringer <joestringer@nicira.com> wrote:
> Static code analysis reveals the following bug:
>
>         net/openvswitch/conntrack.c:281 ovs_ct_helper()
>         warn: unsigned 'protoff' is never less than zero.
>
> This signedness bug breaks error handling for IPv6 extension headers when
> using conntrack helpers. Fix the error by using a local signed variable.
>
> Fixes:  cae3a2627520: "openvswitch: Allow attaching helpers to ct
> action"
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Joe Stringer <joestringer@nicira.com>

Acked-by: Pravin B Shelar <pshelar@nicira.com>

Re: [PATCH net] openvswitch: Fix IPv6 exthdr handling with ct helpers.

[David Miller]

From: Joe Stringer <joestringer@nicira.com>
Date: Mon, 14 Sep 2015 11:14:50 -0700

> Static code analysis reveals the following bug:
> 
>         net/openvswitch/conntrack.c:281 ovs_ct_helper()
>         warn: unsigned 'protoff' is never less than zero.
> 
> This signedness bug breaks error handling for IPv6 extension headers when
> using conntrack helpers. Fix the error by using a local signed variable.
> 
> Fixes:  cae3a2627520: "openvswitch: Allow attaching helpers to ct
> action"
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Joe Stringer <joestringer@nicira.com>

Applied, thanks.