Re: [ovs-dev] [PATCH] lib: added check to prevent int overflow

[Ben Pfaff]

On Tue, Mar 12, 2019 at 08:26:43AM -0700, Toms Atteka wrote:
> If enough large input is given ofpact_finish will fail.
> Check was added and error message returned.
> 
> Basic manual testing performed.
> 
> Reported-by:
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972
> Signed-off-by: Toms Atteka 

Thanks for the fix.

Would you mind adding a helper function that does the check?  It is
better to introduce a new function ofpact_oversized(), or whatever, than
to introduce too many details of the implementation into
learn_parse__().

Did you try to look around for other uses of ofpact_finish_*(), to see
whether other cases could have the same problem?

Thanks,

Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] lib: added check to prevent int overflow

[Toms Atteka]

If enough large input is given ofpact_finish will fail.
Check was added and error message returned.

Basic manual testing performed.

Reported-by:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972
Signed-off-by: Toms Atteka 
---
 lib/learn.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/lib/learn.c b/lib/learn.c
index 642ce18..5b168e4 100644
--- a/lib/learn.c
+++ b/lib/learn.c
@@ -455,6 +455,11 @@ learn_parse__(char *orig, char *arg, const struct 
ofputil_port_map *port_map,
 learn = ofpacts->header;
 }
 }
+
+if ((char *)ofpbuf_tail(ofpacts) - (char *)ofpacts->header > UINT16_MAX) {
+return xasprintf("input too big");
+}
+
 ofpact_finish_LEARN(ofpacts, );
 
 return NULL;
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev