On Wed, Aug 15, 2018 at 04:55:38PM -0700, Darrell Ball wrote: > On Wed, Aug 15, 2018 at 3:03 PM, Ben Pfaff <[email protected]> wrote: > > > decode_ed_prop() accepted encap/decap properties with a reported length of > > 0, without consuming any data from the property list, which yielded an > > infinite loop. > > > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9918 > > Signed-off-by: Ben Pfaff <[email protected]> > > --- > > lib/ofp-ed-props.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/ofp-ed-props.c b/lib/ofp-ed-props.c > > index 901da2f0dd1b..28382e01235c 100644 > > --- a/lib/ofp-ed-props.c > > +++ b/lib/ofp-ed-props.c > > @@ -35,7 +35,7 @@ decode_ed_prop(const struct ofp_ed_prop_header > > **ofp_prop, > > size_t len = (*ofp_prop)->len; > > size_t pad_len = ROUND_UP(len, 8); > > > > - if (pad_len > *remaining) { > > + if (len < sizeof **ofp_prop || pad_len > *remaining) { > > > > Is *remaining > pad_len valid ? > If it is, which is not intuitive, maybe a comment will help ?
Can you help me understand why it would not be valid? _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
