| Message ID | 1547678228-14075-1-git-send-email-pkusunyifeng@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] ofp-actions: Avoid overflow for ofpact_learn_spec->n_bits | expand |
On Wed, Jan 16, 2019 at 02:37:08PM -0800, Yifeng Sun wrote: > ofpact_learn_spec->n_bits is the size of immediate data that is > following ofpact_learn_spec. Now it is defined as 'uint8_t'. > In many places, it gets its value directly from mf_subfield->n_bits, > whose type is 'unsigned int'. If input is large enough, there will > be uint8_t overflow. > > For example, the following command will make ovs-ofctl crash: > ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)" > > This patch fixies this issue by changing type of ofpact_learn_spec->n_bits > from uint8_t to uint32_t. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870 > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Thanks, applied and backported.
diff --git a/include/openvswitch/ofp-actions.h b/include/openvswitch/ofp-actions.h index 4daf5ad071da..caaa37c05a1d 100644 --- a/include/openvswitch/ofp-actions.h +++ b/include/openvswitch/ofp-actions.h @@ -799,7 +799,7 @@ struct ofpact_learn_spec { * NX_LEARN_DST_LOAD only. */ uint16_t src_type; /* One of NX_LEARN_SRC_*. */ uint16_t dst_type; /* One of NX_LEARN_DST_*. */ - uint8_t n_bits; /* Number of bits in source and dest. */ + uint32_t n_bits; /* Number of bits in source and dest. */ ); /* Followed by 'DIV_ROUND_UP(n_bits, 8)' bytes of immediate data for * match 'dst_type's NX_LEARN_DST_MATCH and NX_LEARN_DST_LOAD when
ofpact_learn_spec->n_bits is the size of immediate data that is following ofpact_learn_spec. Now it is defined as 'uint8_t'. In many places, it gets its value directly from mf_subfield->n_bits, whose type is 'unsigned int'. If input is large enough, there will be uint8_t overflow. For example, the following command will make ovs-ofctl crash: ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)" This patch fixies this issue by changing type of ofpact_learn_spec->n_bits from uint8_t to uint32_t. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> --- include/openvswitch/ofp-actions.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)