From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiecheng Wu Subject: [PATCH] datapath.c: fix missing return value check of nla_nest_start() Date: Fri, 17 Aug 2018 16:15:08 +0800 Message-ID: <20180817081508.7104-1-jasonwood2031@gmail.com> To: netdev@vger.kernel.org Return-path: Received: from mail-pl0-f68.google.com ([209.85.160.68]:36519 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725992AbeHQLRp (ORCPT ); Fri, 17 Aug 2018 07:17:45 -0400 Received: by mail-pl0-f68.google.com with SMTP id e11-v6so3390774plb.3 for ; Fri, 17 Aug 2018 01:15:19 -0700 (PDT) Received: from localhost.localdomain ([2402:f000:1:1501:200:5efe:a66f:53fa]) by smtp.gmail.com with ESMTPSA id z4-v6sm2716979pfl.11.2018.08.17.01.15.18 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 17 Aug 2018 01:15:18 -0700 (PDT) Sender: netdev-owner@vger.kernel.org List-ID: Function queue_userspace_packet() defined in net/openvswitch/datapath.c calls nla_nest_start() to allocate memory for struct nlattr which is dereferenced immediately. As nla_nest_start() may return NULL on failure, this code piece may cause NULL pointer dereference bug. --- net/openvswitch/datapath.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c index 0f5ce77..ff4457d 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c @@ -460,6 +460,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, if (upcall_info->egress_tun_info) { nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY); + if (!nla) + return -EMSGSIZE; err = ovs_nla_put_tunnel_info(user_skb, upcall_info->egress_tun_info); BUG_ON(err); @@ -468,6 +470,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, if (upcall_info->actions_len) { nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_ACTIONS); + if (!nla) + return -EMSGSIZE; err = ovs_nla_put_actions(upcall_info->actions, upcall_info->actions_len, user_skb); -- 2.6.4