openvswitch: Fix unsafe attribute parsing in output_userspace()

This patch replaces the manual Netlink attribute iteration in
output_userspace() with nla_for_each_nested(), which ensures that only
well-formed attributes are processed.

Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/0bd65949df61591d9171c0dc13e42cea8941da10.1746541734.git.echaudro@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 61fea7baae5d5cda97201d4e810ea181d64e7e50..2f22ca59586f2545c3394057d9fd048eb516fd0d 100644 (file)
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -975,8 +975,7 @@ static int output_userspace(struct datapath *dp, struct sk_buff *skb,
        upcall.cmd = OVS_PACKET_CMD_ACTION;
        upcall.mru = OVS_CB(skb)->mru;
 
-       for (a = nla_data(attr), rem = nla_len(attr); rem > 0;
-            a = nla_next(a, &rem)) {
+       nla_for_each_nested(a, attr, rem) {
                switch (nla_type(a)) {
                case OVS_USERSPACE_ATTR_USERDATA:
                        upcall.userdata = a;