It is unsafe to access expr_constant.masked when its type is EXPR_C_STRING as its value is uninitialized. This patch fixes this issue.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10731 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10767 Signed-off-by: Yifeng Sun <[email protected]> --- v1->v2: Fix email subject by adding [ovs-dev] v2->v3: Inspect through code to make sure expr_constant is accessed correctly by its type, thanks Ben for the review! ovn/lib/expr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c index 5880fd2e7289..0fbe109783da 100644 --- a/ovn/lib/expr.c +++ b/ovn/lib/expr.c @@ -581,7 +581,7 @@ make_cmp(struct expr_context *ctx, f->symbol->name); goto exit; } - if (cs->values[0].masked) { + if (cs->type == EXPR_C_INTEGER && cs->values[0].masked) { lexer_error(ctx->lexer, "Only == and != operators may be used " "with masked constants. Consider using subfields " "instead (e.g. eth.src[0..15] > 0x1111 in place of " -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
