| Message ID | 1552404403-121854-1-git-send-email-cpp.code.lv@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev] lib: added check to prevent int overflow | expand |
On Tue, Mar 12, 2019 at 08:26:43AM -0700, Toms Atteka wrote: > If enough large input is given ofpact_finish will fail. > Check was added and error message returned. > > Basic manual testing performed. > > Reported-by: > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972 > Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> Thanks for the fix. Would you mind adding a helper function that does the check? It is better to introduce a new function ofpact_oversized(), or whatever, than to introduce too many details of the implementation into learn_parse__(). Did you try to look around for other uses of ofpact_finish_*(), to see whether other cases could have the same problem? Thanks, Ben.
diff --git a/lib/learn.c b/lib/learn.c index 642ce18..5b168e4 100644 --- a/lib/learn.c +++ b/lib/learn.c @@ -455,6 +455,11 @@ learn_parse__(char *orig, char *arg, const struct ofputil_port_map *port_map, learn = ofpacts->header; } } + + if ((char *)ofpbuf_tail(ofpacts) - (char *)ofpacts->header > UINT16_MAX) { + return xasprintf("input too big"); + } + ofpact_finish_LEARN(ofpacts, &learn); return NULL;
If enough large input is given ofpact_finish will fail. Check was added and error message returned. Basic manual testing performed. Reported-by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12972 Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com> --- lib/learn.c | 5 +++++ 1 file changed, 5 insertions(+)