datapath: Avoid bad array reference for missing group in ODPAT_OUTPUT_GROUP.

When ODPAT_OUTPUT_GROUP referenced a group that hadn't been created,
output_group() would return a negative number other than -1.
execute_actions() would pass this later to do_output(), which would then
use it as a bogus array index, accessing invalid memory.

This commit fixes it by making it return -1 instead, which the caller
interprets correctly.

Thanks to Justin for leading me to scrutinize this code.

diff --git a/datapath/actions.c b/datapath/actions.c
index d9b92f1d62b3f25d88a60cbd6d364b73c5eebc53..6eb5813efd7378f4141638e0591a19454596adab 100644 (file)
--- a/datapath/actions.c
+++ b/datapath/actions.c
@@ -323,7 +323,7 @@ static int output_group(struct datapath *dp, __u16 group,
        int i;
 
        if (!g)
-               return -EINVAL;
+               return -1;
        for (i = 0; i < g->n_ports; i++) {
                struct net_bridge_port *p = dp->ports[g->ports[i]];
                if (!p || skb->dev == p->dev)