From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: [PATCH net 2/2] openvswitch: check for null return for nla_nest_start in datapath
Date: Wed, 18 Jul 2018 09:12:16 -0700
Message-ID: <20180718161216.27820-3-sthemmin@microsoft.com>
References: <20180718161216.27820-1-sthemmin@microsoft.com>
Cc: netdev@vger.kernel.org, dev@openvswitch.org,
        Stephen Hemminger <sthemmin@microsoft.com>,
        Stephen Hemminger <stephen@networkplumber.org>
To: pshelar@ovn.org, davem@davemloft.net
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f68.google.com ([209.85.160.68]:32777 "EHLO
        mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731369AbeGRQu5 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 18 Jul 2018 12:50:57 -0400
Received: by mail-pl0-f68.google.com with SMTP id 6-v6so2261742plb.0
        for <netdev@vger.kernel.org>; Wed, 18 Jul 2018 09:12:21 -0700 (PDT)
In-Reply-To: <20180718161216.27820-1-sthemmin@microsoft.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

The call to nla_nest_start when forming packet messages can lead to a NULL
return so it's possible for attr to become NULL and we can potentially
get a NULL pointer dereference on attr.  Fix this by checking for
a NULL return.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200537
Fixes: 8f0aad6f35f7 ("openvswitch: Extend packet attribute for egress tunnel info")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 net/openvswitch/datapath.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 0f5ce77460d4..93c3eb635827 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -460,6 +460,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 
 	if (upcall_info->egress_tun_info) {
 		nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY);
+		if (!nla) {
+			err = -EMSGSIZE;
+			goto out;
+		}
 		err = ovs_nla_put_tunnel_info(user_skb,
 					      upcall_info->egress_tun_info);
 		BUG_ON(err);
@@ -468,6 +472,10 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 
 	if (upcall_info->actions_len) {
 		nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS);
+		if (!nla) {
+			err = -EMSGSIZE;
+			goto out;
+		}
 		err = ovs_nla_put_actions(upcall_info->actions,
 					  upcall_info->actions_len,
 					  user_skb);
-- 
2.18.0