Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10714
Signed-off-by: Yifeng Sun <[email protected]>
Suggested-by: Ben Pfaff <[email protected]>
---
ovn/lib/expr.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c
index 0a2cef2f0ee9..cabd5c60d9c8 100644
--- a/ovn/lib/expr.c
+++ b/ovn/lib/expr.c
@@ -459,6 +459,8 @@ expr_print(const struct expr *e)
�
/* Parsing. */
+#define MAX_LPAREN_DEPTH 100
+
/* Context maintained during expr_parse(). */
struct expr_context {
struct lexer *lexer; /* Lexer for pulling more tokens. */
@@ -466,6 +468,7 @@ struct expr_context {
const struct shash *addr_sets; /* Address set table. */
const struct shash *port_groups; /* Port group table. */
bool not; /* True inside odd number of NOT operators. */
+ unsigned int paren_depth; /* Depth of nested parentheses. */
};
struct expr *expr_parse__(struct expr_context *);
@@ -1080,11 +1083,17 @@ expr_parse_primary(struct expr_context *ctx, bool
*atomic)
{
*atomic = false;
if (lexer_match(ctx->lexer, LEX_T_LPAREN)) {
+ if (++ctx->paren_depth > MAX_LPAREN_DEPTH) {
+ lexer_syntax_error(ctx->lexer,
+ "parenthesis nested too deeply");
+ return NULL;
+ }
struct expr *e = expr_parse__(ctx);
if (!lexer_force_match(ctx->lexer, LEX_T_RPAREN)) {
expr_destroy(e);
return NULL;
}
+ --ctx->paren_depth;
*atomic = true;
return e;
}
@@ -1270,7 +1279,8 @@ expr_parse(struct lexer *lexer, const struct shash
*symtab,
struct expr_context ctx = { .lexer = lexer,
.symtab = symtab,
.addr_sets = addr_sets,
- .port_groups = port_groups };
+ .port_groups = port_groups,
+ .paren_depth = 0 };
return lexer->error ? NULL : expr_parse__(&ctx);
}
--
2.7.4
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
