From 2e4109b122f09342479b7b00aafbabcb2c829169 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= <zhangzujian.7@gmail.com>
Date: Sat, 25 May 2024 05:15:59 +0000
Subject: [PATCH] fix kernel crash

---
 datapath-windows/ovsext/User.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/datapath-windows/ovsext/User.c b/datapath-windows/ovsext/User.c
index c4563b28b2c..0e8c4c9ddb5 100644
--- a/datapath-windows/ovsext/User.c
+++ b/datapath-windows/ovsext/User.c
@@ -271,6 +271,7 @@ OvsNlExecuteCmdHandler(POVS_USER_PARAMS_CONTEXT usrParamsCtx,
 {
     NTSTATUS status = STATUS_SUCCESS;
     POVS_MESSAGE msgIn = (POVS_MESSAGE)usrParamsCtx->inputBuffer;
+    UINT32 inputLength = usrParamsCtx->inputLength;
     POVS_MESSAGE msgOut = (POVS_MESSAGE)usrParamsCtx->outputBuffer;
     PNL_MSG_HDR nlMsgHdr = &(msgIn->nlMsg);
     PGENL_MSG_HDR genlMsgHdr = &(msgIn->genlMsg);
@@ -280,7 +281,7 @@ OvsNlExecuteCmdHandler(POVS_USER_PARAMS_CONTEXT usrParamsCtx,
     PNL_ATTR keyAttrs[__OVS_KEY_ATTR_MAX] = {NULL};
 
     UINT32 attrOffset = NLMSG_HDRLEN + GENL_HDRLEN + OVS_HDRLEN;
-    UINT32 keyAttrOffset = 0;
+    UINT32 keyAttrOffset = 0, keyAttrLength = 0;
     OvsPacketExecute execute;
     NL_ERROR nlError = NL_ERROR_SUCCESS;
     NL_BUFFER nlBuf;
@@ -310,10 +311,11 @@ OvsNlExecuteCmdHandler(POVS_USER_PARAMS_CONTEXT usrParamsCtx,
 
     keyAttrOffset = (UINT32)((PCHAR)nlAttrs[OVS_PACKET_ATTR_KEY] -
                     (PCHAR)nlMsgHdr);
+    keyAttrLength = MIN(NlAttrLen(nlAttrs[OVS_PACKET_ATTR_KEY]),
+                        inputLength - keyAttrOffset);
 
     /* Get flow keys attributes */
-    if ((NlAttrParseNested(nlMsgHdr, keyAttrOffset,
-                           NlAttrLen(nlAttrs[OVS_PACKET_ATTR_KEY]),
+    if ((NlAttrParseNested(nlMsgHdr, keyAttrOffset, keyAttrLength,
                            nlFlowKeyPolicy, nlFlowKeyPolicyLen,
                            keyAttrs, ARRAY_SIZE(keyAttrs))) != TRUE) {
         OVS_LOG_ERROR("Key Attr Parsing failed for msg: %p", nlMsgHdr);
@@ -406,8 +408,11 @@ _MapNlAttrToOvsPktExec(PNL_MSG_HDR nlMsgHdr, PNL_ATTR *nlAttrs,
     execute->actions = NlAttrGet(nlAttrs[OVS_PACKET_ATTR_ACTIONS]);
     execute->actionsLen = NlAttrGetSize(nlAttrs[OVS_PACKET_ATTR_ACTIONS]);
 
-    ASSERT(keyAttrs[OVS_KEY_ATTR_IN_PORT]);
-    execute->inPort = NlAttrGetU32(keyAttrs[OVS_KEY_ATTR_IN_PORT]);
+    if (keyAttrs[OVS_KEY_ATTR_IN_PORT]) {
+        execute->inPort = NlAttrGetU32(keyAttrs[OVS_KEY_ATTR_IN_PORT]);
+    } else {
+        execute->inPort = execute->dpNo;
+    }
     execute->keyAttrs = keyAttrs;
 
     if (nlAttrs[OVS_PACKET_ATTR_MRU]) {