Thanks Jan and Bhargava. I applied this to master and branch-2.8. I don't think the problem exists on older branches.
On Wed, Nov 29, 2017 at 08:00:06PM +0000, Jan Scheurich wrote: > Good spot! > > Acked-by: Jan Scheurich <[email protected]> > > > -----Original Message----- > > From: Ben Pfaff [mailto:[email protected]] > > Sent: Wednesday, 29 November, 2017 17:30 > > To: [email protected] > > Cc: Ben Pfaff <[email protected]>; Jan Scheurich <[email protected]>; > > Bhargava Shastry <[email protected]> > > Subject: [PATCH] flow: Avoid buffer overread in parse_nsh() for malformed > > packet. > > > > Found by libfuzzer. > > > > CC: Jan Scheurich <[email protected]> > > Fixes: 7edef47b4896 ("NSH: Minor bugfixes") > > Reported-by: Bhargava Shastry <[email protected]> > > Signed-off-by: Ben Pfaff <[email protected]> > > --- > > lib/flow.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/flow.c b/lib/flow.c > > index 1adc49970a3a..bc24fe7e20d3 100644 > > --- a/lib/flow.c > > +++ b/lib/flow.c > > @@ -553,7 +553,7 @@ parse_nsh(const void **datap, size_t *sizep, struct > > flow_nsh *key) > > /* NSH header length is in 4 byte words. */ > > length = ((ver_flags_len & NSH_LEN_MASK) >> NSH_LEN_SHIFT) << 2; > > > > - if (version != 0) { > > + if (length > *sizep || version != 0) { > > return false; > > } > > > > -- > > 2.10.2 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
