net: openvswitch: fix nested key length validation in the set() action

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

It's not safe to access nla_len(ovs_key) if the data is smaller than
the netlink header. Check that the attribute is OK first.

Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Ilya Maximets and committed by

Jakub Kicinski 1 year ago 65d91192 186e5888

+2 -1

1 changed file

expand all

net

openvswitch

flow_netlink.c

+2 -1

net/openvswitch/flow_netlink.c

··· 2876 2876 size_t key_len; 2877 2877 2878 2878 /* There can be only one key in a action */ 2879 - if (nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2879 + if (!nla_ok(ovs_key, nla_len(a)) || 2880 + nla_total_size(nla_len(ovs_key)) != nla_len(a)) 2880 2881 return -EINVAL; 2881 2882 2882 2883 key_len = nla_len(ovs_key);

Configure Feed

Configure Feed