[ovs-dev] lib: added check to prevent int overflow
diff mbox series

Message ID 1552404403-121854-1-git-send-email-cpp.code.lv@gmail.com
State New
Headers show
Series
  • [ovs-dev] lib: added check to prevent int overflow
Related show

Commit Message

Cpp Code March 12, 2019, 3:26 p.m. UTC
If enough large input is given ofpact_finish will fail.
Check was added and error message returned.

Basic manual testing performed.

Reported-by:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972
Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com>
---
 lib/learn.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Ben Pfaff March 15, 2019, 11:19 p.m. UTC | #1
On Tue, Mar 12, 2019 at 08:26:43AM -0700, Toms Atteka wrote:
> If enough large input is given ofpact_finish will fail.
> Check was added and error message returned.
> 
> Basic manual testing performed.
> 
> Reported-by:
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972
> Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com>

Thanks for the fix.

Would you mind adding a helper function that does the check?  It is
better to introduce a new function ofpact_oversized(), or whatever, than
to introduce too many details of the implementation into
learn_parse__().

Did you try to look around for other uses of ofpact_finish_*(), to see
whether other cases could have the same problem?

Thanks,

Ben.

Patch
diff mbox series

diff --git a/lib/learn.c b/lib/learn.c
index 642ce18..5b168e4 100644
--- a/lib/learn.c
+++ b/lib/learn.c
@@ -455,6 +455,11 @@  learn_parse__(char *orig, char *arg, const struct ofputil_port_map *port_map,
             learn = ofpacts->header;
         }
     }
+
+    if ((char *)ofpbuf_tail(ofpacts) - (char *)ofpacts->header > UINT16_MAX) {
+        return xasprintf("input too big");
+    }
+
     ofpact_finish_LEARN(ofpacts, &learn);
 
     return NULL;