3.18-stable patches

added patches:
	openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch

diff --git a/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch b/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch
new file mode 100644 (file)
index 0000000..fa4bd1d
--- /dev/null
+++ b/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch
@@ -0,0 +1,34 @@
+From foo@baz Sat Jan 26 11:30:37 CET 2019
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 14 Jan 2019 09:16:56 +0000
+Subject: openvswitch: Avoid OOB read when parsing flow nlattrs
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ]
+
+For nested and variable attributes, the expected length of an attribute
+is not known and marked by a negative number.  This results in an OOB
+read when the expected length is later used to check if the attribute is
+all zeros. Fix this by using the actual length of the attribute rather
+than the expected length.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -314,7 +314,7 @@ static int __parse_flow_nlattrs(const st
+                       return -EINVAL;
+               }
+ 
+-              if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
++              if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
+                       attrs |= 1 << type;
+                       a[type] = nla;
+               }

diff --git a/queue-3.18/series b/queue-3.18/series
new file mode 100644 (file)
index 0000000..f3b12ce
--- /dev/null
+++ b/queue-3.18/series
@@ -0,0 +1 @@
+openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch