nla_len in struct nlattr is of type uint16_t. This patch prevents nla_len from be truncated if the size of encapped actions is too large.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12255 Signed-off-by: Yifeng Sun <[email protected]> --- lib/odp-util.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/odp-util.c b/lib/odp-util.c index a1c3e5bda550..eac1079cdd93 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -5600,6 +5600,10 @@ parse_odp_key_mask_attr(struct parse_odp_context *context, const char *s, return retval; } s += retval; + + if (nl_attr_oversized(key->size - encap)) { + return -E2BIG; + } } s++; -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
