On Thu, Mar 5, 2026 at 7:52 AM Eelco Chaudron <[email protected]> wrote:
> Coverity reports multiple untrusted loop bound and buffer access issues
> (CID 278410, and related) in format_odp_tnl_push_header() when processing
> tunnel headers. The function casts parts of ovs_action_push_tnl->header
> to various tunnel protocol structures and uses length fields from those
> structures without validating they stay within buffer bounds.
>
> This change ensures we never read beyond the data->header buffer when
> formatting tunnel push actions.
>
> Fixes: a36de779d739 ("openvswitch: Userspace tunneling.")
> Signed-off-by: Eelco Chaudron <[email protected]>
> ---
Thanks for the work on this!
Acked-by: Mike Pattrick <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
