| Message ID | 1547771594-6139-1-git-send-email-pkusunyifeng@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [ovs-dev] odp-util: Prevent oversized encap action | expand |
On 1/17/2019 4:33 PM, Yifeng Sun wrote: > nla_len in struct nlattr is of type uint16_t. This patch prevents > nla_len from be truncated if the size of encapped actions is too > large. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12255 > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> > --- > lib/odp-util.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/lib/odp-util.c b/lib/odp-util.c > index a1c3e5bda550..eac1079cdd93 100644 > --- a/lib/odp-util.c > +++ b/lib/odp-util.c > @@ -5600,6 +5600,10 @@ parse_odp_key_mask_attr(struct parse_odp_context *context, const char *s, > return retval; > } > s += retval; > + > + if (nl_attr_oversized(key->size - encap)) { > + return -E2BIG; > + } > } > s++; > Hi Yifeng, The patch looks OK and I can provide a reviewed-by tag but I don't have access to the reporter link so I'm unable to look at how to test it. Seems obvious enough though. Thanks. Reviewed-by: Greg Rose <gvrose8192@gmail.com>
diff --git a/lib/odp-util.c b/lib/odp-util.c index a1c3e5bda550..eac1079cdd93 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -5600,6 +5600,10 @@ parse_odp_key_mask_attr(struct parse_odp_context *context, const char *s, return retval; } s += retval; + + if (nl_attr_oversized(key->size - encap)) { + return -E2BIG; + } } s++;
nla_len in struct nlattr is of type uint16_t. This patch prevents nla_len from be truncated if the size of encapped actions is too large. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12255 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> --- lib/odp-util.c | 4 ++++ 1 file changed, 4 insertions(+)