From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: [PATCH net 1/2] openvswitch: check for null return for nla_nest_start
Date: Wed, 18 Jul 2018 09:12:15 -0700
Message-ID: <20180718161216.27820-2-sthemmin@microsoft.com>
References: <20180718161216.27820-1-sthemmin@microsoft.com>
Cc: netdev@vger.kernel.org, dev@openvswitch.org,
        Stephen Hemminger <sthemmin@microsoft.com>,
        Stephen Hemminger <stephen@networkplumber.org>
To: pshelar@ovn.org, davem@davemloft.net
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pf0-f194.google.com ([209.85.192.194]:40738 "EHLO
        mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731369AbeGRQu4 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 18 Jul 2018 12:50:56 -0400
Received: by mail-pf0-f194.google.com with SMTP id e13-v6so2428932pff.7
        for <netdev@vger.kernel.org>; Wed, 18 Jul 2018 09:12:20 -0700 (PDT)
In-Reply-To: <20180718161216.27820-1-sthemmin@microsoft.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

The call to nla_nest_start in conntrack can lead to a NULL
return so it's possible for attr to become NULL and we can potentially
get a NULL pointer dereference on attr.  Fix this by checking for
a NULL return.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200533
Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 net/openvswitch/conntrack.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 284aca2a252d..2e316f641df8 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -2132,6 +2132,8 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info)
 		return PTR_ERR(reply);
 
 	nla_reply = nla_nest_start(reply, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
+	if (!nla_reply)
+		return PRT_ERR(-EMSGSIZE);
 
 	if (a[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
 		err = ovs_ct_limit_get_zone_limit(
-- 
2.18.0