[PATCH net] openvswitch: validate MPLS set/set_masked payload length

Next message: Thomas Richter: "Re: [PATCH v8 0/5] perf evsel fallback changes, better s390 defaults"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v2] MAINTAINERS: Add maintainers for ARM/REALTEK ARCHITECTURE"
Next in thread: Ilya Maximets: "Re: [PATCH net] openvswitch: validate MPLS set/set_masked payload length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yang Yang

Date: Thu Mar 19 2026 - 04:03:09 EST

validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for
SET/SET_MASKED actions. In action handling, OVS expects fixed-size
MPLS key data (struct ovs_key_mpls).

Use the already normalized key_len (masked case included) and reject
non-matching MPLS action key sizes.

Reject invalid MPLS action payload lengths early.

Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
Tested-by: Ao Zhou <n05ec@xxxxxxxxxx>
Co-developed-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
Signed-off-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
Suggested-by: Xin Liu <bird@xxxxxxxxxx>
Signed-off-by: Yang Yang <n05ec@xxxxxxxxxx>
---

net/openvswitch/flow_netlink.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 67fbf6e48a301..45444b81e9b97 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2953,6 +2953,8 @@ static int validate_set(const struct nlattr *a,
case OVS_KEY_ATTR_MPLS:
if (!eth_p_mpls(eth_type))
return -EINVAL;
+ if (key_len != sizeof(struct ovs_key_mpls))
+ return -EINVAL;
break;

case OVS_KEY_ATTR_SCTP:
--
2.43.0