On 2/26/26 11:40 AM, Eelco Chaudron via dev wrote:
> Coverity reports multiple untrusted loop bound and buffer access issues
> (CID 278410, and related) in format_odp_tnl_push_header() when processing
> tunnel headers. The function casts parts of ovs_action_push_tnl->header
> to various tunnel protocol structures and uses length fields from those
> structures without validating they stay within buffer bounds.
>
> The ovs_action_push_tnl->header buffer is fixed at 512 bytes
> (TNL_PUSH_HEADER_SIZE), but the function was parsing variable-length
> structures without checking that accesses remain within header_len:
>
> - Geneve options: opt_len * 4 bytes could exceed buffer
I didn't go through all of them, but at least this one doesn't seem
right, as geneve options can never be larger than 252 bytes. There
are only 6 bits reserved for the total options length in the geneve
header.
> - SRv6 segments: (last_entry + 1) * 16 bytes could exceed buffer
> - GRE options: checksum, key, sequence fields parsed without validation
> - ERSPAN metadata: version-specific fields accessed without bounds check
> - GTPU headers: no validation before dereferencing
>
> Fixes: f5796d539cdb ("Format and commit the encap action tunnel header.")
> Signed-off-by: Eelco Chaudron <[email protected]>
> ---
> lib/odp-util.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 122 insertions(+), 8 deletions(-)
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
