[ovs-dev] [PATCH] ofp-actions: Fix buffer overread in decode_LEARN_specs().

Ben Pfaff Mon, 25 Jun 2018 11:51:12 -0700

The length check was wrong for immediate arguments to "learn" actions.


Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9047
Signed-off-by: Ben Pfaff <[email protected]>
---
 lib/ofp-actions.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
index e91e0b252390..3f7702185a64 100644
--- a/lib/ofp-actions.c
+++ b/lib/ofp-actions.c
@@ -4740,7 +4740,7 @@ learn_min_len(uint16_t header)
         min_len += sizeof(ovs_be32); /* src_field */
         min_len += sizeof(ovs_be16); /* src_ofs */
     } else {
-        min_len += DIV_ROUND_UP(n_bits, 16);
+        min_len += 2 * DIV_ROUND_UP(n_bits, 16);
     }
     if (dst_type == NX_LEARN_DST_MATCH ||
         dst_type == NX_LEARN_DST_LOAD) {
-- 
2.16.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] ofp-actions: Fix buffer overread in decode_LEARN_specs().

Reply via email to