| Message ID | 1542137124-25502-1-git-send-email-pkusunyifeng@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] odp-util: Add checking to prevent buffer overflow when parsing push_nsh | expand |
On Tue, Nov 13, 2018 at 11:25:24AM -0800, Yifeng Sun wrote: > Previously, the buffer size of 'struct ofpbuf b' is less than the > size of 'char buf[512]', this could cause memory overflow of ofpbuf > when calling ofpbuf_put_hex. This patch fixes it. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Thanks, applied and backported.
diff --git a/lib/odp-util.c b/lib/odp-util.c index 627baaa397ed..bb6669b37af9 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -2111,9 +2111,9 @@ parse_odp_push_nsh_action(const char *s, struct ofpbuf *actions) struct ofpbuf b; char buf[512]; size_t mdlen, padding; - if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf)) { - ofpbuf_use_stub(&b, metadata, - NSH_CTX_HDRS_MAX_LEN); + if (ovs_scan_len(s, &n, "md2=0x%511[0-9a-fA-F]", buf) + && n/2 <= sizeof metadata) { + ofpbuf_use_stub(&b, metadata, sizeof metadata); ofpbuf_put_hex(&b, buf, &mdlen); /* Pad metadata to 4 bytes. */ padding = PAD_SIZE(mdlen, 4);
Previously, the buffer size of 'struct ofpbuf b' is less than the size of 'char buf[512]', this could cause memory overflow of ofpbuf when calling ofpbuf_put_hex. This patch fixes it. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10865 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> --- lib/odp-util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)