On 1/17/2019 4:33 PM, Yifeng Sun wrote:
nla_len in struct nlattr is of type uint16_t. This patch prevents
nla_len from be truncated if the size of encapped actions is too
large.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12255
Signed-off-by: Yifeng Sun <[email protected]>
---
lib/odp-util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/odp-util.c b/lib/odp-util.c
index a1c3e5bda550..eac1079cdd93 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -5600,6 +5600,10 @@ parse_odp_key_mask_attr(struct parse_odp_context
*context, const char *s,
return retval;
}
s += retval;
+
+ if (nl_attr_oversized(key->size - encap)) {
+ return -E2BIG;
+ }
}
s++;
Hi Yifeng,
The patch looks OK and I can provide a reviewed-by tag but I don't have
access to the reporter link so
I'm unable to look at how to test it. Seems obvious enough though.
Thanks.
Reviewed-by: Greg Rose <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
