| Message ID | 1539124758-7478-1-git-send-email-pkusunyifeng@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,1/2] odp-util: Fix a bug that causes stack overflow | expand |
On Tue, Oct 09, 2018 at 03:39:17PM -0700, Yifeng Sun wrote: > ofpbuf_put_hex doesn't know buf's length and only checks buf's content > to process. This is dangerous. This patch fixes it. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863 > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855 > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> > --- > lib/odp-util.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/lib/odp-util.c b/lib/odp-util.c > index 7705bb30ae21..d482d5bcf968 100644 > --- a/lib/odp-util.c > +++ b/lib/odp-util.c > @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) > if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { > ofpbuf_use_stub(&b, metadata, > NSH_CTX_HDRS_MAX_LEN); > + buf[n - 6] = '\0'; I don't understand this patch yet. ovs_scan_len() should always null-terminate buf. Are there cases where it does not do that?
In scan_set, '\0' is not always put in the buf. Ok, I think this patch is not the correct way to fix this issue, I will come up with a new version. Thanks, Yifeng On Thu, Oct 11, 2018 at 1:18 PM Ben Pfaff <blp@ovn.org> wrote: > On Tue, Oct 09, 2018 at 03:39:17PM -0700, Yifeng Sun wrote: > > ofpbuf_put_hex doesn't know buf's length and only checks buf's content > > to process. This is dangerous. This patch fixes it. > > > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863 > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855 > > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> > > --- > > lib/odp-util.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/lib/odp-util.c b/lib/odp-util.c > > index 7705bb30ae21..d482d5bcf968 100644 > > --- a/lib/odp-util.c > > +++ b/lib/odp-util.c > > @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct > ofpbuf *actions) > > if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { > > ofpbuf_use_stub(&b, metadata, > > NSH_CTX_HDRS_MAX_LEN); > > + buf[n - 6] = '\0'; > > I don't understand this patch yet. ovs_scan_len() should always > null-terminate buf. Are there cases where it does not do that? >
diff --git a/lib/odp-util.c b/lib/odp-util.c index 7705bb30ae21..d482d5bcf968 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { ofpbuf_use_stub(&b, metadata, NSH_CTX_HDRS_MAX_LEN); + buf[n - 6] = '\0'; ofpbuf_put_hex(&b, buf, &mdlen); /* Pad metadata to 4 bytes. */ padding = PAD_SIZE(mdlen, 4);
ofpbuf_put_hex doesn't know buf's length and only checks buf's content to process. This is dangerous. This patch fixes it. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> --- lib/odp-util.c | 1 + 1 file changed, 1 insertion(+)