From: Ben Pfaff <blp@nicira.com>
Date: Wed, 6 May 2009 22:35:25 +0000 (-0700)
Subject: datapath: Make sure that the "reserved" byte in user-provided flow is zero.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=069004f484d4f07f8ca125f853a20a32f3a08b17;p=openvswitch

datapath: Make sure that the "reserved" byte in user-provided flow is zero.

Otherwise we could return a "false negative" lookup result to the user.
(This is not known to fix any real bug; for it to do so, there would have
to be userspace code that doesn't initialize the "reserved" byte, but I
don't know of any.)
---

diff --git a/datapath/datapath.c b/datapath/datapath.c
index 89726119..34172027 100644
--- a/datapath/datapath.c
+++ b/datapath/datapath.c
@@ -882,6 +882,7 @@ static int put_flow(struct datapath *dp, struct odp_flow_put __user *ufp)
 	error = -EFAULT;
 	if (copy_from_user(&uf, ufp, sizeof(struct odp_flow_put)))
 		goto error;
+	uf.flow.key.reserved = 0;
 
 retry:
 	table = rcu_dereference(dp->table);
@@ -1025,6 +1026,7 @@ static int del_or_query_flow(struct datapath *dp,
 	error = -EFAULT;
 	if (copy_from_user(&uf, ufp, sizeof uf))
 		goto error;
+	uf.key.reserved = 0;
 
 	flow = dp_table_lookup(table, &uf.key);
 	error = -ENOENT;
@@ -1065,6 +1067,7 @@ static int query_multiple_flows(struct datapath *dp,
 
 		if (__copy_from_user(&uf, ufp, sizeof uf))
 			return -EFAULT;
+		uf.key.reserved = 0;
 
 		flow = dp_table_lookup(table, &uf.key);
 		if (!flow)