| Message ID | 20170527030003.26071-1-blp@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
> On May 26, 2017, at 8:00 PM, Ben Pfaff <blp@ovn.org> wrote: > > If a switch claimed to support an instruction that OVS does not know about, > then print_table_instruction_features() would read past the end of the > array of instruction names. This fixes the problem. > > None of the other uses of print_table_instruction_features() appear to have > the same problem. > > Found by Coverity. > > Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14762675&defectInstanceId=4305296&mergedDefectId=179859 > Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org> --Justin
On Thu, Jun 01, 2017 at 04:23:52PM -0700, Justin Pettit wrote: > > > On May 26, 2017, at 8:00 PM, Ben Pfaff <blp@ovn.org> wrote: > > > > If a switch claimed to support an instruction that OVS does not know about, > > then print_table_instruction_features() would read past the end of the > > array of instruction names. This fixes the problem. > > > > None of the other uses of print_table_instruction_features() appear to have > > the same problem. > > > > Found by Coverity. > > > > Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14762675&defectInstanceId=4305296&mergedDefectId=179859 > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > Acked-by: Justin Pettit <jpettit@ovn.org> Thanks, applied to master, backported as far as 2.5.
diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index af52f147df2e..dc3d6dc6bb3a 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -6839,7 +6839,7 @@ OVS_INSTRUCTIONS const char * ovs_instruction_name_from_type(enum ovs_instruction_type type) { - return inst_info[type].name; + return type < ARRAY_SIZE(inst_info) ? inst_info[type].name : NULL; } int diff --git a/lib/ofp-print.c b/lib/ofp-print.c index 7ca953100539..ca8f7407e761 100644 --- a/lib/ofp-print.c +++ b/lib/ofp-print.c @@ -2879,7 +2879,13 @@ print_table_instruction_features( for (i = 0; i < 32; i++) { if (tif->instructions & (1u << i)) { - ds_put_format(s, "%s,", ovs_instruction_name_from_type(i)); + const char *name = ovs_instruction_name_from_type(i); + if (name) { + ds_put_cstr(s, name); + } else { + ds_put_format(s, "%d", i); + } + ds_put_char(s, ','); } } ds_chomp(s, ',');
If a switch claimed to support an instruction that OVS does not know about, then print_table_instruction_features() would read past the end of the array of instruction names. This fixes the problem. None of the other uses of print_table_instruction_features() appear to have the same problem. Found by Coverity. Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14762675&defectInstanceId=4305296&mergedDefectId=179859 Signed-off-by: Ben Pfaff <blp@ovn.org> --- lib/ofp-actions.c | 2 +- lib/ofp-print.c | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-)