37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001
|
|
From: Paolo Valerio <pvalerio@redhat.com>
|
|
Date: Fri, 15 Apr 2022 10:08:41 +0200
|
|
Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size()
|
|
|
|
Given a sufficiently large number of actions, while copying and
|
|
reserving memory for a new action of a new flow, if next_offset is
|
|
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
|
|
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
|
|
bytes increasing actions_len by req_size. This can then lead to an OOB
|
|
write access, especially when further actions need to be copied.
|
|
|
|
Fix it by rearranging the flow action size check.
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8
|
|
---
|
|
datapath/flow_netlink.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
|
|
index 0f7ab53..1f04072 100644
|
|
--- a/datapath/flow_netlink.c
|
|
+++ b/datapath/flow_netlink.c
|
|
@@ -2322,7 +2322,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
|
|
new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
|
|
|
|
if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
|
|
- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
|
|
+ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
|
|
OVS_NLERR(log, "Flow action size exceeds max %u",
|
|
MAX_ACTIONS_BUFSIZE);
|
|
return ERR_PTR(-EMSGSIZE);
|
|
--
|
|
2.33.0
|
|
|