openvswitch: Avoid OOB read when parsing flow nlattrs

rosslagerwall · davem330 · commit 04a4af334b97 · 2019-01-16T13:35:21.000-08:00
For nested and variable attributes, the expected length of an attribute
is not known and marked by a negative number.  This results in an OOB
read when the expected length is later used to check if the attribute is
all zeros. Fix this by using the actual length of the attribute rather
than the expected length.

Signed-off-by: Ross Lagerwall &lt;ross.lagerwall@citrix.com&gt;
Acked-by: Pravin B Shelar &lt;pshelar@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
@@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
 			return -EINVAL;
 		}
 
-		if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
+		if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
 			attrs |= 1 << type;
 			a[type] = nla;
 		}

Original file line number	Diff line number	Diff line change
`@@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,`
`500`	`500`	`return -EINVAL;`
`501`	`501`	`}`
`502`	`502`
`503`		`- if (!nz \|\| !is_all_zero(nla_data(nla), expected_len)) {`
	`503`	`+ if (!nz \|\| !is_all_zero(nla_data(nla), nla_len(nla))) {`
`504`	`504`	`attrs \|= 1 << type;`
`505`	`505`	`a[type] = nla;`
`506`	`506`	`}`