dpif-netlink: Fix send of uninitialized memory in ct limit requests.

ct limit requests never initializes the whole 'struct ovs_zone_limit' sending uninitialized stack memory to kernel: Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) at 0x5E23867: sendmsg (in /usr/lib64/libpthread-2.28.so) by 0x54F761: nl_sock_transact_multiple__ (netlink-socket.c:858) by 0x54FB6E: nl_sock_transact_multiple.part.9 (netlink-socket.c:1079) by 0x54FCC0: nl_sock_transact_multiple (netlink-socket.c:1044) by 0x54FCC0: nl_sock_transact (netlink-socket.c:1108) by 0x550B6F: nl_transact (netlink-socket.c:1804) by 0x53BEA2: dpif_netlink_ct_get_limits (dpif-netlink.c:3052) by 0x588B57: dpctl_ct_get_limits (dpctl.c:2178) by 0x586FF2: dpctl_unixctl_handler (dpctl.c:2870) by 0x52C241: process_command (unixctl.c:310) by 0x52C241: run_connection (unixctl.c:344) by 0x52C241: unixctl_server_run (unixctl.c:395) by 0x407526: main (ovs-vswitchd.c:128) Address 0x10b87480 is 32 bytes inside a block of size 4,096 alloc'd at 0x4C30F0B: malloc (vg_replace_malloc.c:307) by 0x52CDE4: xmalloc (util.c:138) by 0x4F7E07: ofpbuf_init (ofpbuf.c:123) by 0x4F7E07: ofpbuf_new (ofpbuf.c:151) by 0x53BDE3: dpif_netlink_ct_get_limits (dpif-netlink.c:3025) by 0x588B57: dpctl_ct_get_limits (dpctl.c:2178) by 0x586FF2: dpctl_unixctl_handler (dpctl.c:2870) by 0x52C241: process_command (unixctl.c:310) by 0x52C241: run_connection (unixctl.c:344) by 0x52C241: unixctl_server_run (unixctl.c:395) by 0x407526: main (ovs-vswitchd.c:128) Uninitialised value was created by a stack allocation at 0x46AAA0: ct_dpif_get_limits (ct-dpif.c:197) Fix that by using designated initializers that will clear all the non-specified fields. Fixes: 906ff9d ("dpif-netlink: Implement conntrack zone limit") Signed-off-by: Ilya Maximets <i.maximets@ovn.org> Acked-by: Mark D. Gray <mark.d.gray@redhat.com>
openvswitch · May 24, 2021 · 8be19f7 · 8be19f7
1 parent 25dd084
commit 8be19f7
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
@@ -2908,8 +2908,6 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED,
                            const uint32_t *default_limits,
                            const struct ovs_list *zone_limits)
 {
-    struct ovs_zone_limit req_zone_limit;
-
     if (ovs_ct_limit_family < 0) {
         return EOPNOTSUPP;
     }
@@ -2926,17 +2924,21 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED,
     size_t opt_offset;
     opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
     if (default_limits) {
-        req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE;
-        req_zone_limit.limit = *default_limits;
+        struct ovs_zone_limit req_zone_limit = {
+            .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE,
+            .limit   = *default_limits,
+        };
         nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
     }
 
     if (!ovs_list_is_empty(zone_limits)) {
         struct ct_dpif_zone_limit *zone_limit;
 
         LIST_FOR_EACH (zone_limit, node, zone_limits) {
-            req_zone_limit.zone_id = zone_limit->zone;
-            req_zone_limit.limit = zone_limit->limit;
+            struct ovs_zone_limit req_zone_limit = {
+                .zone_id = zone_limit->zone,
+                .limit   = zone_limit->limit,
+            };
             nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
         }
     }
@@ -3020,8 +3022,9 @@ dpif_netlink_ct_get_limits(struct dpif *dpif OVS_UNUSED,
         size_t opt_offset = nl_msg_start_nested(request,
                                                 OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
 
-        struct ovs_zone_limit req_zone_limit;
-        req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE;
+        struct ovs_zone_limit req_zone_limit = {
+            .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE,
+        };
         nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
 
         struct ct_dpif_zone_limit *zone_limit;
@@ -3071,8 +3074,9 @@ dpif_netlink_ct_del_limits(struct dpif *dpif OVS_UNUSED,
 
         struct ct_dpif_zone_limit *zone_limit;
         LIST_FOR_EACH (zone_limit, node, zone_limits) {
-            struct ovs_zone_limit req_zone_limit;
-            req_zone_limit.zone_id = zone_limit->zone;
+            struct ovs_zone_limit req_zone_limit = {
+                .zone_id = zone_limit->zone,
+            };
             nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
         }
         nl_msg_end_nested(request, opt_offset);