Currently, ovs-ofctl and other associated tools will validate the size of flow actions. However, there are some code paths that do not validate the size correctly.
When adding more than 1000 logical switch ports to an OVS bridge in OVN, OVN will happily create a flow with potentially unlimited actions. This can cause OVS to call abort() when it attempts to re-serialize the flow actions. This change will validate the size with every call to ofpacts_verify, which should cover all remaining code paths. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2020770 Signed-off-by: Mike Pattrick <[email protected]> --- lib/ofp-actions.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index ecf914eac..74b8b65ac 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -8749,6 +8749,10 @@ ofpacts_verify(const struct ofpact ofpacts[], size_t ofpacts_len, const struct ofpact *a; enum ovs_instruction_type inst; + if (ofpacts_len > ROUND_DOWN(UINT16_MAX, OFP_ACTION_ALIGN)) { + return OFPERR_OFPBAC_BAD_LEN; + } + inst = OVSINST_OFPIT13_METER; OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) { enum ovs_instruction_type next; -- 2.27.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
