From patchwork Wed Oct 10 23:02:56 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yifeng Sun <pkusunyifeng@gmail.com>
X-Patchwork-Id: 982139
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ZfvteKu4"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42VqQ274rFz9sBh
	for <incoming@patchwork.ozlabs.org>;
	Thu, 11 Oct 2018 10:03:06 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 372B5AE1;
	Wed, 10 Oct 2018 23:03:05 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id D6855ACA
	for <dev@openvswitch.org>; Wed, 10 Oct 2018 23:03:03 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com
	[209.85.214.194])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6C97F834
	for <dev@openvswitch.org>; Wed, 10 Oct 2018 23:03:03 +0000 (UTC)
Received: by mail-pl1-f194.google.com with SMTP id 30-v6so3208733plb.10
	for <dev@openvswitch.org>; Wed, 10 Oct 2018 16:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=8PcLG5T1poebj3UV1J+rDr6gZs7FK7G0qbe3tXJajL4=;
	b=ZfvteKu4Cw/IubJPOyUzZBu2hXlJmTLVy0cMrkWtxcRaJZh1w9GuSmtN377weesmt7
	wOgKIhy/azFVhkxCXGot1F/eE3s5OJ5NVvyOYG+uR4ZtsnYnX1LIY93VhMYVZG0SepGP
	1BnuTGkqGpF6dVAqoJ4Zh95qdayI323+tFvkGXrVkHUFFQDrbQylQdDNOIMbNuF5s1dc
	pPpMBuMO7IH93pP0RAGJQiGankWOaOkai0q2cZVdzr97tpOUm9ia0miPGkPg8YzdTH23
	03a3V4cu/wb3hLTVvpDS52A0eeYzjqnozWb9WnCdFHtvgu56CelVIQggthdgEBdnrIOL
	1Tcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=8PcLG5T1poebj3UV1J+rDr6gZs7FK7G0qbe3tXJajL4=;
	b=kcPKKIxjDLyAKJpfCc/9jJ4POFD6JN+0C2FHYCfmiMWXT8j/DSSQ/N4tS3bSPbOse2
	bTMt+NiIiSG5mpXCp5k9pfKNmjZrTI90ojlZwZ/tsC8AOeAI93CsQP/YfvnhTpIrHtNw
	IPo2CwvP8zH/R35LERXrnxRuCJs5Ql5ErmaHxgoJP5gKlHSE6YNARzNtelmsFI3ZOVGc
	U2zOVaAnKuw+DMsSMOcPhf4CZAmV4rlDKKqGQqHSBKmCaSz3JsrhnnoZ6BZ8APpD/+h6
	V4YzlIxzo8Orm1Nb68TKGhrq2NIfpNA3/NtObVuuDSf0XJwWACnIuyHg7u1ilR69lr7W
	tfIg==
X-Gm-Message-State: ABuFfogopX0ZR8V8AorgIP3a38tCbP3uOPmJD0ed0Geb5t7me3blR8yx
	yoYxYkm1VHq1OnDQN3U3BX3iBPZI
X-Google-Smtp-Source: 
 ACcGV60paqtXrC9e8jz9MfL9zCEJYF1KRoT86gpf0Zuv9mVf9Ycww0vqcDdnrlVKk1/SCaTD4+RaUQ==
X-Received: by 2002:a17:902:a40e:: with SMTP id
	p14-v6mr34777139plq.338.1539212582821;
	Wed, 10 Oct 2018 16:03:02 -0700 (PDT)
Received: from kern417.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	c28-v6sm82473218pfk.48.2018.10.10.16.03.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 10 Oct 2018 16:03:02 -0700 (PDT)
From: Yifeng Sun <pkusunyifeng@gmail.com>
To: dev@openvswitch.org
Date: Wed, 10 Oct 2018 16:02:56 -0700
Message-Id: <1539212576-13027-1-git-send-email-pkusunyifeng@gmail.com>
X-Mailer: git-send-email 2.7.4
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH v3] expr: Access expr_constant.mask only when its
	type is EXPR_C_INTEGER
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

It is unsafe to access expr_constant.masked when its type
is EXPR_C_STRING as its value is uninitialized. This patch
fixes this issue.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10731
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10767
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
---
v1->v2: Fix email subject by adding [ovs-dev]
v2->v3: Inspect through code to make sure expr_constant is accessed correctly
by its type, thanks Ben for the review!

 ovn/lib/expr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ovn/lib/expr.c b/ovn/lib/expr.c
index 5880fd2e7289..0fbe109783da 100644
--- a/ovn/lib/expr.c
+++ b/ovn/lib/expr.c
@@ -581,7 +581,7 @@ make_cmp(struct expr_context *ctx,
                         f->symbol->name);
             goto exit;
         }
-        if (cs->values[0].masked) {
+        if (cs->type == EXPR_C_INTEGER && cs->values[0].masked) {
             lexer_error(ctx->lexer, "Only == and != operators may be used "
                         "with masked constants.  Consider using subfields "
                         "instead (e.g. eth.src[0..15] > 0x1111 in place of "