[ovs-dev,1/2] odp-util: Fix a bug that causes stack overflow

Message ID 1539124758-7478-1-git-send-email-pkusunyifeng@gmail.com
State Changes Requested
Headers show
Series
  • [ovs-dev,1/2] odp-util: Fix a bug that causes stack overflow
Related show

Commit Message

Yifeng Sun Oct. 9, 2018, 10:39 p.m.
ofpbuf_put_hex doesn't know buf's length and only checks buf's content
to process. This is dangerous. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
---
 lib/odp-util.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Ben Pfaff Oct. 11, 2018, 8:18 p.m. | #1
On Tue, Oct 09, 2018 at 03:39:17PM -0700, Yifeng Sun wrote:
> ofpbuf_put_hex doesn't know buf's length and only checks buf's content
> to process. This is dangerous. This patch fixes it.
> 
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855
> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
> ---
>  lib/odp-util.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/lib/odp-util.c b/lib/odp-util.c
> index 7705bb30ae21..d482d5bcf968 100644
> --- a/lib/odp-util.c
> +++ b/lib/odp-util.c
> @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions)
>              if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) {
>                  ofpbuf_use_stub(&b, metadata,
>                                  NSH_CTX_HDRS_MAX_LEN);
> +                buf[n - 6] = '\0';

I don't understand this patch yet.  ovs_scan_len() should always
null-terminate buf.  Are there cases where it does not do that?
Yifeng Sun Oct. 11, 2018, 8:33 p.m. | #2
In scan_set, '\0' is not always put in the buf.
Ok, I think this patch is not the correct way to fix this issue,
I will come up with a new version.

Thanks,
Yifeng

On Thu, Oct 11, 2018 at 1:18 PM Ben Pfaff <blp@ovn.org> wrote:

> On Tue, Oct 09, 2018 at 03:39:17PM -0700, Yifeng Sun wrote:
> > ofpbuf_put_hex doesn't know buf's length and only checks buf's content
> > to process. This is dangerous. This patch fixes it.
> >
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10855
> > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
> > ---
> >  lib/odp-util.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/lib/odp-util.c b/lib/odp-util.c
> > index 7705bb30ae21..d482d5bcf968 100644
> > --- a/lib/odp-util.c
> > +++ b/lib/odp-util.c
> > @@ -2107,6 +2107,7 @@ parse_odp_push_nsh_action(const char *s, struct
> ofpbuf *actions)
> >              if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) {
> >                  ofpbuf_use_stub(&b, metadata,
> >                                  NSH_CTX_HDRS_MAX_LEN);
> > +                buf[n - 6] = '\0';
>
> I don't understand this patch yet.  ovs_scan_len() should always
> null-terminate buf.  Are there cases where it does not do that?
>

Patch

diff --git a/lib/odp-util.c b/lib/odp-util.c
index 7705bb30ae21..d482d5bcf968 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -2107,6 +2107,7 @@  parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions)
             if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) {
                 ofpbuf_use_stub(&b, metadata,
                                 NSH_CTX_HDRS_MAX_LEN);
+                buf[n - 6] = '\0';
                 ofpbuf_put_hex(&b, buf, &mdlen);
                 /* Pad metadata to 4 bytes. */
                 padding = PAD_SIZE(mdlen, 4);