From 535d6987a7af3bef33bf2db21b52bb81e3ea64ee Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Tue, 1 Feb 2011 11:23:30 -0800 Subject: [PATCH] Zero padding bytes in odp_key_ipv4, odp_key_arp. This is a potential security issue for the kernel. In userspace it just provokes false-positive valgrind warnings (which is how I found it). Signed-off-by: Ben Pfaff Acked-by: Jesse Gross --- datapath/flow.c | 3 +++ lib/odp-util.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/datapath/flow.c b/datapath/flow.c index 9823b9fe..735e1479 100644 --- a/datapath/flow.c +++ b/datapath/flow.c @@ -845,6 +845,7 @@ int flow_to_nlattrs(const struct sw_flow_key *swkey, struct sk_buff *skb) if (!nla) goto nla_put_failure; ipv4_key = nla_data(nla); + memset(ipv4_key, 0, sizeof(struct odp_key_ipv4)); ipv4_key->ipv4_src = swkey->ipv4_src; ipv4_key->ipv4_dst = swkey->ipv4_dst; ipv4_key->ipv4_proto = swkey->nw_proto; @@ -856,6 +857,7 @@ int flow_to_nlattrs(const struct sw_flow_key *swkey, struct sk_buff *skb) if (!nla) goto nla_put_failure; ipv6_key = nla_data(nla); + memset(ipv6_key, 0, sizeof(struct odp_key_ipv6)); memcpy(ipv6_key->ipv6_src, swkey->ipv6_src, sizeof(ipv6_key->ipv6_src)); memcpy(ipv6_key->ipv6_dst, swkey->ipv6_dst, @@ -869,6 +871,7 @@ int flow_to_nlattrs(const struct sw_flow_key *swkey, struct sk_buff *skb) if (!nla) goto nla_put_failure; arp_key = nla_data(nla); + memset(arp_key, 0, sizeof(struct odp_key_arp)); arp_key->arp_sip = swkey->ipv4_src; arp_key->arp_tip = swkey->ipv4_dst; arp_key->arp_op = htons(swkey->nw_proto); diff --git a/lib/odp-util.c b/lib/odp-util.c index c90ff7d2..973490dc 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -430,6 +430,7 @@ odp_flow_key_from_flow(struct ofpbuf *buf, const struct flow *flow) ipv4_key = nl_msg_put_unspec_uninit(buf, ODP_KEY_ATTR_IPV4, sizeof *ipv4_key); + memset(ipv4_key, 0, sizeof *ipv4_key); ipv4_key->ipv4_src = flow->nw_src; ipv4_key->ipv4_dst = flow->nw_dst; ipv4_key->ipv4_proto = flow->nw_proto; @@ -439,6 +440,7 @@ odp_flow_key_from_flow(struct ofpbuf *buf, const struct flow *flow) ipv6_key = nl_msg_put_unspec_uninit(buf, ODP_KEY_ATTR_IPV6, sizeof *ipv6_key); + memset(ipv6_key, 0, sizeof *ipv6_key); memcpy(ipv6_key->ipv6_src, &flow->ipv6_src, sizeof ipv6_key->ipv6_src); memcpy(ipv6_key->ipv6_dst, &flow->ipv6_dst, sizeof ipv6_key->ipv6_dst); ipv6_key->ipv6_proto = flow->nw_proto; @@ -448,6 +450,7 @@ odp_flow_key_from_flow(struct ofpbuf *buf, const struct flow *flow) arp_key = nl_msg_put_unspec_uninit(buf, ODP_KEY_ATTR_ARP, sizeof *arp_key); + memset(arp_key, 0, sizeof *arp_key); arp_key->arp_sip = flow->nw_src; arp_key->arp_tip = flow->nw_dst; arp_key->arp_op = htons(flow->nw_proto); -- 2.30.2