datapath: fix panic with multiple vlan headers

When there are multiple vlan headers present in a received frame, the
first one is put into vlan_tci and protocol is set to ETH_P_8021Q.
Anything in the skb beyond the VLAN TPID may be still non-linear,
including the inner TCI and ethertype. While ovs_flow_extract takes
care of IP and IPv6 headers, it does nothing with ETH_P_8021Q. Later,
if OVS_ACTION_ATTR_POP_VLAN is executed, __pop_vlan_tci pulls the
next vlan header into vlan_tci.

This leads to two things:

1. Part of the resulting ethernet header is in the non-linear part of
   the skb. When eth_type_trans is called later as the result of
   OVS_ACTION_ATTR_OUTPUT, kernel BUGs in __skb_pull. Also,
   __pop_vlan_tci is in fact accessing random data when it reads
   past the TPID.

2. network_header points into the ethernet header instead of behind it.
   mac_len is set to a wrong value (10), too.

Reported-by: Yulong Pei <ypei@redhat.com>
Signed-off-by: Jiri Benc <jbenc@redhat.com>
I have dropped second change. Since it assumes inner mac header is of
ETH_HLEN len which is not always true.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

diff --git a/datapath/actions.c b/datapath/actions.c
index 1ebf45ec295ad251236873cb4f5ed7f5792df4df..8d1884813d04cd195c5206c8206be32c7432d876 100644 (file)
--- a/datapath/actions.c
+++ b/datapath/actions.c
@@ -213,6 +213,9 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb,
 
 static int make_writable(struct sk_buff *skb, int write_len)
 {
+       if (!pskb_may_pull(skb, write_len))
+               return -ENOMEM;
+
        if (!skb_cloned(skb) || skb_clone_writable(skb, write_len))
                return 0;