When parse_odp_key_mask_attr runs into ufid, it returns length of ufid without appending data into ofpbufs. This commit adds additional checking for this case.
Found this bug when debugging https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10850, but not certain it is related. Signed-off-by: Yifeng Sun <[email protected]> --- lib/odp-util.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/odp-util.c b/lib/odp-util.c index d482d5bcf968..f53530db40aa 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2216,9 +2216,10 @@ parse_odp_action(const char *s, const struct simap *port_names, struct nlattr mask[1024 / sizeof(struct nlattr)]; struct ofpbuf maskbuf = OFPBUF_STUB_INITIALIZER(mask); struct nlattr *nested, *key; - size_t size; + size_t size, old_size; start_ofs = nl_msg_start_nested(actions, OVS_ACTION_ATTR_SET); + old_size = actions->size; retval = parse_odp_key_mask_attr(s + 4, port_names, actions, &maskbuf); if (retval < 0) { ofpbuf_uninit(&maskbuf); @@ -2233,7 +2234,7 @@ parse_odp_action(const char *s, const struct simap *port_names, key = nested + 1; size = nl_attr_get_size(mask); - if (size == nl_attr_get_size(key)) { + if (old_size != actions->size && size == nl_attr_get_size(key)) { /* Change to masked set action if not fully masked. */ if (!is_all_ones(mask + 1, size)) { /* Remove padding of eariler key payload */ -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
