diff options
| author | Thomas Graf <tgraf@suug.ch> | 2015-01-14 08:56:19 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-01-14 16:49:44 -0500 |
| commit | 1ba398041f5b5a15456ea20a9ba3ff80b6a4e7d1 (patch) | |
| tree | 11d8bc5cd83cdad417a1c4d5863a756023480f1d | |
| parent | 776d4e9f5c0229037707f692b386b1f2a5bac054 (diff) | |
openvswitch: packet messages need their own probe attribtue
User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
and packet messages. This leads to an out-of-bounds access in
ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
OVS_PACKET_ATTR_MAX.
Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
while maintaining to be binary compatible with existing OVS binaries.
Fixes: 05da589 ("openvswitch: Add support for OVS_FLOW_ATTR_PROBE.")
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Tracked-down-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Reviewed-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/uapi/linux/openvswitch.h | 4 | ||||
| -rw-r--r-- | net/openvswitch/datapath.c | 3 |
2 files changed, 6 insertions, 1 deletions
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index 3a6dcaa359b7..f714e8633352 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h | |||
| @@ -174,6 +174,10 @@ enum ovs_packet_attr { | |||
| 174 | OVS_PACKET_ATTR_USERDATA, /* OVS_ACTION_ATTR_USERSPACE arg. */ | 174 | OVS_PACKET_ATTR_USERDATA, /* OVS_ACTION_ATTR_USERSPACE arg. */ |
| 175 | OVS_PACKET_ATTR_EGRESS_TUN_KEY, /* Nested OVS_TUNNEL_KEY_ATTR_* | 175 | OVS_PACKET_ATTR_EGRESS_TUN_KEY, /* Nested OVS_TUNNEL_KEY_ATTR_* |
| 176 | attributes. */ | 176 | attributes. */ |
| 177 | OVS_PACKET_ATTR_UNUSED1, | ||
| 178 | OVS_PACKET_ATTR_UNUSED2, | ||
| 179 | OVS_PACKET_ATTR_PROBE, /* Packet operation is a feature probe, | ||
| 180 | error logging should be suppressed. */ | ||
| 177 | __OVS_PACKET_ATTR_MAX | 181 | __OVS_PACKET_ATTR_MAX |
| 178 | }; | 182 | }; |
| 179 | 183 | ||
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c index 4e9a5f035cbc..b07349e82d78 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c | |||
| @@ -524,7 +524,7 @@ static int ovs_packet_cmd_execute(struct sk_buff *skb, struct genl_info *info) | |||
| 524 | struct vport *input_vport; | 524 | struct vport *input_vport; |
| 525 | int len; | 525 | int len; |
| 526 | int err; | 526 | int err; |
| 527 | bool log = !a[OVS_FLOW_ATTR_PROBE]; | 527 | bool log = !a[OVS_PACKET_ATTR_PROBE]; |
| 528 | 528 | ||
| 529 | err = -EINVAL; | 529 | err = -EINVAL; |
| 530 | if (!a[OVS_PACKET_ATTR_PACKET] || !a[OVS_PACKET_ATTR_KEY] || | 530 | if (!a[OVS_PACKET_ATTR_PACKET] || !a[OVS_PACKET_ATTR_KEY] || |
| @@ -610,6 +610,7 @@ static const struct nla_policy packet_policy[OVS_PACKET_ATTR_MAX + 1] = { | |||
| 610 | [OVS_PACKET_ATTR_PACKET] = { .len = ETH_HLEN }, | 610 | [OVS_PACKET_ATTR_PACKET] = { .len = ETH_HLEN }, |
| 611 | [OVS_PACKET_ATTR_KEY] = { .type = NLA_NESTED }, | 611 | [OVS_PACKET_ATTR_KEY] = { .type = NLA_NESTED }, |
| 612 | [OVS_PACKET_ATTR_ACTIONS] = { .type = NLA_NESTED }, | 612 | [OVS_PACKET_ATTR_ACTIONS] = { .type = NLA_NESTED }, |
| 613 | [OVS_PACKET_ATTR_PROBE] = { .type = NLA_FLAG }, | ||
| 613 | }; | 614 | }; |
| 614 | 615 | ||
| 615 | static const struct genl_ops dp_packet_genl_ops[] = { | 616 | static const struct genl_ops dp_packet_genl_ops[] = { |