On 27 Feb 2026, at 23:02, Ilya Maximets wrote:
> On 2/26/26 11:40 AM, Eelco Chaudron via dev wrote:
>> Coverity reports multiple untrusted loop bound and buffer access issues
>> (CID 278410, and related) in format_odp_tnl_push_header() when processing
>> tunnel headers. The function casts parts of ovs_action_push_tnl->header
>> to various tunnel protocol structures and uses length fields from those
>> structures without validating they stay within buffer bounds.
>>
>> The ovs_action_push_tnl->header buffer is fixed at 512 bytes
>> (TNL_PUSH_HEADER_SIZE), but the function was parsing variable-length
>> structures without checking that accesses remain within header_len:
>>
>> - Geneve options: opt_len * 4 bytes could exceed buffer
>
> I didn't go through all of them, but at least this one doesn't seem
> right, as geneve options can never be larger than 252 bytes. There
> are only 6 bits reserved for the total options length in the geneve
> header.
I think what I was trying to say is we could still have options that
are aligned outside the buffer. But my brain just got crazy trying to
describe all possibilities... I'll update the message to be more simple :)
//Eelco
-----
odputil: Add full bounds checks to format_odp_tnl_push_header().
Coverity reports multiple untrusted loop bound and buffer access issues
(CID 278410, and related) in format_odp_tnl_push_header() when processing
tunnel headers. The function casts parts of ovs_action_push_tnl->header
to various tunnel protocol structures and uses length fields from those
structures without validating they stay within buffer bounds.
This change ensures we never read beyond the data->header buffer when
formatting tunnel push actions.
Fixes: a36de779d739 ("openvswitch: Userspace tunneling.")
Signed-off-by: Eelco Chaudron <[email protected]>
>>>>> - SRv6 segments: (last_entry + 1) * 16 bytes could exceed buffer
>> - GRE options: checksum, key, sequence fields parsed without validation
>> - ERSPAN metadata: version-specific fields accessed without bounds check
>> - GTPU headers: no validation before dereferencing
>>
>> Fixes: f5796d539cdb ("Format and commit the encap action tunnel header.")
>> Signed-off-by: Eelco Chaudron <[email protected]>
>> ---
>> lib/odp-util.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++---
>> 1 file changed, 122 insertions(+), 8 deletions(-)
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
