diff options
| author |   Joe Stringer <joestringer@nicira.com> | 2015-10-06 10:59:59 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2015-10-07 05:03:05 -0700 |
| commit | 6f225952461b5e9b5520d0dc6e2ff0af57874fbb (patch) | |
| tree | 640b5ffa111825c21aa8ff7847e3d466b1922005 /net | |
| parent | openvswitch: Ensure flow is valid before executing ct (diff) | |
| download | linux-dev-6f225952461b5e9b5520d0dc6e2ff0af57874fbb.tar.xz linux-dev-6f225952461b5e9b5520d0dc6e2ff0af57874fbb.zip | |
openvswitch: Reject ct_state unsupported bits
Previously, if userspace specified ct_state bits in the flow key which
are currently undefined (and therefore unsupported), then they would be
ignored. This could cause unexpected behaviour in future if userspace is
extended to support additional bits but attempts to communicate with the
current version of the kernel. This patch rectifies the situation by
rejecting such ct_state bits.
Fixes: 7f8a436eaa2c "openvswitch: Add conntrack action"
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/openvswitch/conntrack.h | 12 | ||||
| -rw-r--r-- | net/openvswitch/flow_netlink.c | 6 |
2 files changed, 18 insertions, 0 deletions
diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h index 6bd603c6a031..d6eca8394254 100644 --- a/net/openvswitch/conntrack.h +++ b/net/openvswitch/conntrack.h @@ -34,6 +34,13 @@ int ovs_ct_execute(struct net *, struct sk_buff *, struct sw_flow_key *, void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key); int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb); void ovs_ct_free_action(const struct nlattr *a); + +static inline bool ovs_ct_state_supported(u8 state) +{ + return !(state & ~(OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | + OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | + OVS_CS_F_INVALID | OVS_CS_F_TRACKED)); +} #else #include <linux/errno.h> @@ -46,6 +53,11 @@ static inline bool ovs_ct_verify(struct net *net, int attr) return false; } +static inline bool ovs_ct_state_supported(u8 state) +{ + return false; +} + static inline int ovs_ct_copy_action(struct net *net, const struct nlattr *nla, const struct sw_flow_key *key, struct sw_flow_actions **acts, bool log) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index a60e3b7684bc..d47b5c5c640e 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -816,6 +816,12 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { u8 ct_state = nla_get_u8(a[OVS_KEY_ATTR_CT_STATE]); + if (!is_mask && !ovs_ct_state_supported(ct_state)) { + OVS_NLERR(log, "ct_state flags %02x unsupported", + ct_state); + return -EINVAL; + } + SW_FLOW_KEY_PUT(match, ct.state, ct_state, is_mask); *attrs &= ~(1ULL << OVS_KEY_ATTR_CT_STATE); } |