Re: [ovs-dev] [PATCH] lib: added check to prevent int overflow
On Tue, Mar 12, 2019 at 08:26:43AM -0700, Toms Atteka wrote: > If enough large input is given ofpact_finish will fail. > Check was added and error message returned. > > Basic manual testing performed. > > Reported-by: > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972 > Signed-off-by: Toms Atteka Thanks for the fix. Would you mind adding a helper function that does the check? It is better to introduce a new function ofpact_oversized(), or whatever, than to introduce too many details of the implementation into learn_parse__(). Did you try to look around for other uses of ofpact_finish_*(), to see whether other cases could have the same problem? Thanks, Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] lib: added check to prevent int overflow
If enough large input is given ofpact_finish will fail. Check was added and error message returned. Basic manual testing performed. Reported-by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972 Signed-off-by: Toms Atteka --- lib/learn.c | 5 + 1 file changed, 5 insertions(+) diff --git a/lib/learn.c b/lib/learn.c index 642ce18..5b168e4 100644 --- a/lib/learn.c +++ b/lib/learn.c @@ -455,6 +455,11 @@ learn_parse__(char *orig, char *arg, const struct ofputil_port_map *port_map, learn = ofpacts->header; } } + +if ((char *)ofpbuf_tail(ofpacts) - (char *)ofpacts->header > UINT16_MAX) { +return xasprintf("input too big"); +} + ofpact_finish_LEARN(ofpacts, ); return NULL; -- 2.7.4 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev