Patch "openvswitch: fix potential out of bound access in parse_ct" has been added to the 4.12-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "openvswitch: fix potential out of bound access in parse_ct" has been added to the 4.12-stable tree
@ 2017-08-08 23:29 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-08-08 23:29 UTC (permalink / raw)
  To: zlpnobody, davem, gregkh, pshelar; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    openvswitch: fix potential out of bound access in parse_ct

to the 4.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     openvswitch-fix-potential-out-of-bound-access-in-parse_ct.patch
and it can be found in the queue-4.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Tue Aug  8 16:27:29 PDT 2017
From: Liping Zhang <zlpnobody@gmail.com>
Date: Sun, 23 Jul 2017 17:52:23 +0800
Subject: openvswitch: fix potential out of bound access in parse_ct

From: Liping Zhang <zlpnobody@gmail.com>


[ Upstream commit 69ec932e364b1ba9c3a2085fe96b76c8a3f71e7c ]

Before the 'type' is validated, we shouldn't use it to fetch the
ovs_ct_attr_lens's minlen and maxlen, else, out of bound access
may happen.

Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/openvswitch/conntrack.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1289,8 +1289,8 @@ static int parse_ct(const struct nlattr
 
 	nla_for_each_nested(a, attr, rem) {
 		int type = nla_type(a);
-		int maxlen = ovs_ct_attr_lens[type].maxlen;
-		int minlen = ovs_ct_attr_lens[type].minlen;
+		int maxlen;
+		int minlen;
 
 		if (type > OVS_CT_ATTR_MAX) {
 			OVS_NLERR(log,
@@ -1298,6 +1298,9 @@ static int parse_ct(const struct nlattr
 				  type, OVS_CT_ATTR_MAX);
 			return -EINVAL;
 		}
+
+		maxlen = ovs_ct_attr_lens[type].maxlen;
+		minlen = ovs_ct_attr_lens[type].minlen;
 		if (nla_len(a) < minlen || nla_len(a) > maxlen) {
 			OVS_NLERR(log,
 				  "Conntrack attr type has unexpected length (type=%d, length=%d, expected=%d)",


Patches currently in stable-queue which might be from zlpnobody@gmail.com are

queue-4.12/openvswitch-fix-potential-out-of-bound-access-in-parse_ct.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-08-08 23:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-08 23:29 Patch "openvswitch: fix potential out of bound access in parse_ct" has been added to the 4.12-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).