On 27 Feb 2026, at 20:56, Mike Pattrick wrote:
> On Thu, Feb 26, 2026 at 5:59 AM Eelco Chaudron via dev < > [email protected]> wrote: > >> Coverity reports multiple untrusted loop bound and buffer access issues >> (CID 278410, and related) in format_odp_tnl_push_header() when processing >> tunnel headers. The function casts parts of ovs_action_push_tnl->header >> to various tunnel protocol structures and uses length fields from those >> structures without validating they stay within buffer bounds. >> >> The ovs_action_push_tnl->header buffer is fixed at 512 bytes >> (TNL_PUSH_HEADER_SIZE), but the function was parsing variable-length >> structures without checking that accesses remain within header_len: >> >> - Geneve options: opt_len * 4 bytes could exceed buffer >> - SRv6 segments: (last_entry + 1) * 16 bytes could exceed buffer >> - GRE options: checksum, key, sequence fields parsed without validation >> - ERSPAN metadata: version-specific fields accessed without bounds check >> - GTPU headers: no validation before dereferencing >> >> Fixes: f5796d539cdb ("Format and commit the encap action tunnel header.") >> > > The code change looks fine, however, I cannot find this commit. Not sure what happened, will update. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
