Message ID | 1549065364-2955-1-git-send-email-pkusunyifeng@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] odp-util: Stop parse odp actions if nlattr is overflow | expand |
On Fri, Feb 01, 2019 at 03:56:04PM -0800, Yifeng Sun wrote: > `encap = nl_msg_start_nested(key, OVS_KEY_ATTR_ENCAP)` ensures that > key->size >= (encap + NLA_HDRLEN), so the `if` statement is safe. > > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11306 > Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Thank you. I applied this to master and backported it as far as it would go.
diff --git a/lib/odp-util.c b/lib/odp-util.c index 778c00ee8876..482a0be2f9d7 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -5599,6 +5599,10 @@ parse_odp_key_mask_attr(struct parse_odp_context *context, const char *s, context->depth--; return retval; } + + if (nl_attr_oversized(key->size - encap - NLA_HDRLEN)) { + return -E2BIG; + } s += retval; } s++;
`encap = nl_msg_start_nested(key, OVS_KEY_ATTR_ENCAP)` ensures that key->size >= (encap + NLA_HDRLEN), so the `if` statement is safe. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11306 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> --- lib/odp-util.c | 4 ++++ 1 file changed, 4 insertions(+)