Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1427674AbdDWGnw (ORCPT <rfc822;w@1wt.eu>);
        Sun, 23 Apr 2017 02:43:52 -0400
Received: from m50-133.163.com ([123.125.50.133]:53949 "EHLO m50-133.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1427611AbdDWGno (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 23 Apr 2017 02:43:44 -0400
From: Pan Bian <bianpan2016@163.com>
To: Pravin Shelar <pshelar@nicira.com>,
        "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
        dev@openvswitch.org, linux-kernel@vger.kernel.org
Cc: Pan Bian <bianpan2016@163.com>
Subject: [PATCH 1/1] openvswitch: check return value of nla_nest_start
Date: Sun, 23 Apr 2017 14:43:02 +0800
Message-Id: <1492929782-1112-1-git-send-email-bianpan2016@163.com>
X-Mailer: git-send-email 1.9.1
X-CM-TRANSID: DdGowADHk4H2TPxYfxIVAA--.226S3
X-Coremail-Antispam: 1Uf129KBjvJXoW7Wr47AryrtFWxWr4ruFW3ZFb_yoW8JrW5pF
        WrCr13Ka15CrWxGw18Za1kZr18urW5GryUGF92k3savr15tr90qr1UKa4Fvr4rCFWfA3y3
        ArWDK3WUXw1xCa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UMUDAUUUUU=
X-Originating-IP: [123.118.194.153]
X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiQBjCclSISvJ6XQABsq
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1230
Lines: 37

Function nla_nest_start() will return a NULL pointer on error, and its
return value should be validated before it is used. However, in function
queue_userspace_packet(), its return value is ignored. This may result
in NULL dereference when calling nla_nest_end(). This patch fixes the
bug.

Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 net/openvswitch/datapath.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 9c62b63..34c0fbd 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -489,7 +489,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 		err = ovs_nla_put_tunnel_info(user_skb,
 					      upcall_info->egress_tun_info);
 		BUG_ON(err);
-		nla_nest_end(user_skb, nla);
+		if (nla)
+			nla_nest_end(user_skb, nla);
 	}
 
 	if (upcall_info->actions_len) {
@@ -497,7 +498,7 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 		err = ovs_nla_put_actions(upcall_info->actions,
 					  upcall_info->actions_len,
 					  user_skb);
-		if (!err)
+		if (!err && nla)
 			nla_nest_end(user_skb, nla);
 		else
 			nla_nest_cancel(user_skb, nla);
-- 
1.9.1