In this piece of code, 'struct ofpbuf b' should always point to metadata so that metadata can be filled with values through ofpbuf operations, like ofpbuf_put_hex and ofpbuf_push_zeros. However, ofpbuf_push_zeros may change the data pointer of 'struct ofpbuf b' and therefore, metadata will not contain the expected values. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863 Signed-off-by: Yifeng Sun <[email protected]> --- v1->v2: Fix a bug in previous version, thanks Ben! lib/odp-util.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/odp-util.c b/lib/odp-util.c index 0491bed38a6c..b013d00f427a 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2108,20 +2108,21 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) } } else if (nsh.mdtype == NSH_M_TYPE2) { - struct ofpbuf b; + struct ofpbuf *b; char buf[512]; size_t mdlen, padding; if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf) && n/2 <= sizeof metadata) { - ofpbuf_use_stub(&b, metadata, sizeof metadata); - ofpbuf_put_hex(&b, buf, &mdlen); + b = ofpbuf_new_with_headroom(n / 2, 3); + ofpbuf_put_hex(b, buf, &mdlen); /* Pad metadata to 4 bytes. */ padding = PAD_SIZE(mdlen, 4); if (padding > 0) { - ofpbuf_push_zeros(&b, padding); + ofpbuf_push_zeros(b, padding); } md_size = mdlen + padding; - ofpbuf_uninit(&b); + memcpy(metadata, ofpbuf_at(b, 0, md_size), md_size); + ofpbuf_uninit(b); continue; } } -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
