Commit 6beb6835 authored May 06, 2025 by Eelco Chaudron Committed by Jakub Kicinski May 07, 2025

openvswitch: Fix unsafe attribute parsing in output_userspace()



This patch replaces the manual Netlink attribute iteration in
output_userspace() with nla_for_each_nested(), which ensures that only
well-formed attributes are processed.

Fixes: ccb1352e ("net: Add Open vSwitch kernel components.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/0bd65949df61591d9171c0dc13e42cea8941da10.1746541734.git.echaudro@redhat.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 9540984d

net/openvswitch/actions.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -975,8 +975,7 @@ static int output_userspace(struct datapath dp, struct sk_buff skb,
		upcall.cmd = OVS_PACKET_CMD_ACTION;
		upcall.mru = OVS_CB(skb)->mru;

		for (a = nla_data(attr), rem = nla_len(attr); rem > 0;
		a = nla_next(a, &rem)) {
		nla_for_each_nested(a, attr, rem) {
		switch (nla_type(a)) {
		case OVS_USERSPACE_ATTR_USERDATA:
		upcall.userdata = a;