Commit f53e3831 authored Jul 17, 2014 by Andy Zhou Committed by Pravin B Shelar Jul 24, 2014

openvswitch: Avoid memory corruption in queue_userspace_packet()



In queue_userspace_packet(), the ovs_nla_put_flow return value is
not checked. This is fine as long as key_attr_size() returns the
correct value. In case it does not, the current code may corrupt buffer
memory. Add a run time assertion catch this case to avoid silent
failure.

Reported-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

parent f6eec614

net/openvswitch/datapath.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -464,7 +464,8 @@ static int queue_userspace_packet(struct datapath dp, struct sk_buff skb,
		upcall->dp_ifindex = dp_ifindex;

		nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_KEY);
		ovs_nla_put_flow(upcall_info->key, upcall_info->key, user_skb);
		err = ovs_nla_put_flow(upcall_info->key, upcall_info->key, user_skb);
		BUG_ON(err);
		nla_nest_end(user_skb, nla);

		if (upcall_info->userdata)