decode_ed_prop() accepted encap/decap properties with a reported length of 0, without consuming any data from the property list, which yielded an infinite loop.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918 Signed-off-by: Ben Pfaff <[email protected]> --- lib/ofp-ed-props.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c index 901da2f0dd1b..28382e01235c 100644 --- a/lib/ofp-ed-props.c +++ b/lib/ofp-ed-props.c @@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header **ofp_prop, size_t len = (*ofp_prop)->len; size_t pad_len = ROUND_UP(len, 8); - if (pad_len > *remaining) { + if (len < sizeof **ofp_prop || pad_len > *remaining) { return OFPERR_OFPBAC_BAD_LEN; } -- 2.16.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
